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HEALTH MONITORING AND DIAGNOSTIC exercise, diet, or drug therapy programs in response to high 

DEVICE AND NETWORK-BASED HEALTH cholesterol tests often give up their corrective programs 

ASSESSMENT AND MEDICAL RECORDS because they do not monitor their cholesterol frequently 

MAINTENANCE SYSTEM enough to remain aware of the benefits of their programs. 

5 Moreover, blood cholesterol numbers by themselves are 

REFERENCE TO RELATED APPUCATION often poor motivators for patients who feci and look fine. 

rru- V r 1 • • w * I jTTo and do not immediately feel or look differently when ihey 

This application claims priority to commonly-owned U.S. . i »u • • i r * * j- u l . or^m 

Provisional Patent AppUcation No. 60/107.704; filed Nov. 9, « P'^cnptions fact studies have shown that 80% 

1998; and common^^wned U.S. Provisional Patent Appli^ °^ P^"!"'' P^^"''*" ^h^lesterol-lowermg drug thera- 

cation No. 60/144,705, filed Jul. 20, 1999. pies stop takmg their prescnpt.ons within a few months. And 

the attntion rates for exercise and diet programs may be even 

TECHNICAL FIELD ^^^S*^^""* 

In addition, there is a need for a medical records main- 

This invention relates to health monitoring and diagnostic ,enance system, not only for blood cholesterol tests but for 
devices and, more particularly, relates to a hand-held device 15 many types of medical information that can be obtained 
operable for determming blood hpid levels from test-strip ^^^i^^ t^e hospital environment. This need will increase 
analyses, obtaimng additional diagnostic information from a vvith increases in the availability of remote health monitor- 
user, displaymg corresponding diagnostic results, and stor- i^g devices in the future, such as blood pressure measuring 
ing this data on a secure palient-held data earner, such as a devices, blood sugar testing devices, blood cholesterol test- 
smartcard. The invention also relates to a secure network- 20 ing devices. AIDS testing devices, heart monitoring devices, 
based health assessment and medical records maintenance ^jeep respiration monitoring devices, reproductive cycle and 
system that receives medical information from the heahh pregnancy monitoring devices, epileptic and other types of 
monitoring and diagnostic devices, produces health assess- seizure monitoring devices, and a wide range of other 
ments based on the received medical mformation, and stores remote health monitoring devices that may be developed in 
the received medical mformation in a secure medical records 25 the future. As the availability of the remote health monitor- 
maintenance system. jj^g devices increases, users will have an increasing need for 
ttAr'i-rDriTTNm nj: toc TNrv/rrNrrrnxT securely storing the tests results in electronic format. The 
BACKGROUND OF THE INVENTION current system of hard-copy and electronic medical records 

American health care is undergoing a revolution. By the maintained in doctors* offices will become increasingly 

year 2000, more than two-thirds of all American workers obsolete and inconvenient as the availability of 

with health insurance will be enrolled in some kind of electronically -stored medical data increases. Because a 

managed care plan, where the emphasis is on early detection patient's medical records are highly confidential, there is a 

of disease and preventive care. need for a highly secure and permanent medical records 

Fueling this revolution is the skyrocketing cost of health maintenance system under the control of individual patients 

care, combined with new medical research showing lifestyle doctors. 

is important to good health. In fact, in its 1982 report on Thus, there is a general need in the art for a less expensive 
"Heahh and Behavior," the National Academy of Sciences and more convenient approach to providing cholesterol 
concluded that half of the ten leading causes of death in the tests. There is a further need for making motivational 
United States are primarily related to lifestyle. Dietary information regarding cholesterol levels more readily avail- 
patterns are identified as key lifestyle choices. able and more effective. And there is yet another need for a 
Cholesterol levels are particularly important in the United highly secure and permanent medical records maintenance 
States. For this reason, the American Heart Association, the system under the control of individual patients and their 
American Medical Association and the health related agen- doctors. 

cies of the U.S. government have embarked on national .5 ci m>f a dv rn? ttjh TNn/nxrrrnxT 

education campaigns to inform the public about the impor- ' SUMMARY OF THE INVENTION 

tance of making lifestyle changes to lower blood cholesterol The present invention meets the needs described above in 

and prevent heart disease. Although the dangers of high a health monitoring and diagnostic device referred to as a 

cholesterol have been widely publicized, many people fail to UFESTREAM cholesterol meter. This meter is configured 

make effective use of this information because they do not as a self-contained testing and diagnostic unit in a clam-shell 

know their own blood cholesterol levels. In other words, a type case. One side of the case includes a biological sample 

great many of the people with high cholesterol levels fail to gathering device, such as spring-loaded finger stick, and a 

heed the advice to lower their cholesterol levels simply compartment for carrying one or more packages of dispos- 

because they are unaware of their own cholesterol levels. able items, typically including a test strip, a needle for the 

This situation persists because of the high cost and 55 finger stick, and an alcohol swipe. The other half of the case 

inconvenience presently involved in obtaining cholesterol includes a test strip reader, a user input device such as a key 

information. To obtain this information, most people go to a pad, and a display device such as a liquid crystal display. The 

physician's office, have blood drawn, and wait for the return meter reads a test strip carrying a biological sample, such as 

of the blood chemistry analysis. Often, obtaining the results a droplet of blood, and within minutes displays test results, 

involves a second trip to the physician's office. This is ^^^^ ^^^^ cholesterol levels, on the meter's display, 

expensive and time consuming; the average cost is about The hand-held LIFESTREAM cholesterol meter drasti- 

$83 for each office cholesterol consultation, and the average cally reduces the costs and inconvenience associated with 

wait for the results is several days. obtaining cholesterol tests by performing total cholesterol 

The cost and inconvenience involved in obtaining cho- tests in virtually any location, including a physician's office, 

lesterol tests inhibits many people from testing their cho- 65 a pharmacy, a clinic, or in the privacy of the patient's home, 

lesterol frequently enough to provide effective positive The meter produces the test results within minutes using 

feedback. As a result, many people who begin conective on-board circuitry and programming. The meter also 
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includes an on-board diagnostic program that prompts for 
additional diagnostic information, such as the patient's age, 
gender, -weighty family history-of- heart disease, blood 
pressure, and so forth. The meter then translates this diag- 
nostic information, along with the test results, into diagnos- 
tic results that may be more meaningful to the user than the 
test results alone. For example, the meter may use a well- 
known methodology, such as the Framingham Medical 
Study, to produce diagnostic results including the user's 
cardiac age (as compared to chronological age), recom- 
mended weight loss, 5-year risk of heart attack, 10-year risk 
of heart attack, an assessment of stroke risk, and other results 
that will be easily and immediately understood by the 
patient. Like the test results themselves, these more mean- 
ingful diagnostic results are displayed on the meter within 
minutes. 

Producing diagnostic results like "cardiac age" and 
"5-year risk of heart attack" rather than total cholesterol 
levels alone may motivate more people to change their 
lifestyles and reduce their cholesterol levels. Moreover, 
producing these diagnostic results instantaneously, 
inexpensively, and in a convenient location encourages 
frequent testing and provides patients with the positive 
feedback necessary to encourage continued compliance with 
drug therapies and lifestyle changes. Ultimately, widespread 
use of the LIFESTREAM cholesterol meter can be expected 
to improve cardiac health nationwide, shift the focus of 
cardiac treatment from corrective to preventative, improve 
the cardiac health of the population in general, and reduce 
medical costs and health insurance rates. 

The benefits of the LIFESTREAM cholesterol meter may 
be improved over time and extended to other health prob- 
lems because the meter is programmable and configured to 
perform miiltiple types of tests. That is, although the meter 
will be initially configured to perform total cholesterol tests 
using test strips and human blood samples, it is also con- 
figured to perform multiple types of tests using different 
types of test strips or other test media carrying other types 
of biological fluid or tissue samples. For example, the meter 
may also produce other types of blood lipid test results, such 
as HDL cholesterol, triglycerides, LDL cholesterol, etc. The 
meter may also perform other types of tests, such as blood 
glucose tests, AIDS tests, cancer tests, and virtually any 
other type of test that can be performed using a test strip or 
another suitable test medium carrying a sample of biological 
fluid or tissue. To accommodate multiple tests, the meter 
typically includes four romkey sockets that allow the meter 
to carry and read four different romkeys. 

The LIFESTREAM cholesterol meter also works in con- 
nection with a network-based comprehensive health analysis 
and reporting system. The meter includes a data drive that 
writes patient data stored within the meter to a patient-held 
data storage device, such as a smartcard. This patient data 
typicaUy includes patient identification information, the test 
results, the diagnostic information, and the diagnostic 
results. A computer station, such as a typical desktop or 
laptop personal computer, can then read the smartcard and 
estabhsh a network connection with a health report server, 
typically over the Internet. The computer then downloads 
the patient data to the health report server, which prepares a 
comprehensive healfli report. TTiis report is then transmitted 
back to the computer station, where it is printed out and 
delivered to the patient. 

The health report server typically works in concert with 
the patient's physician or pharmacist, who may provide 
additional diagnostic information to the server, such as a 
newly-prescribed drug therapy, other currently-prescribed 
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drugs for the patient, exercise and dietary recommendations, 
and so forth. Within minutes, the health report server 
assembles a comprehensive health report including a data ^ 
sheet for the newly-prescribed drug, cross-reaction informa- 

5 lion for the newly-prescribed drug and the other currently - 
prescribed drugs, weight and total cholesterol goals, exercise 
and dietary recommendations, any food or activity warnings 
associated with the overall therapy package, and recommen- 
dations for on-going monitoring using the meter. This pro- 
vides a complete written record of the patient's current 
condition, the therapy prescribed by the physician and filled 
by the pharmacist, and a roadmap for monitoring the 
patient's progress during the ensuing therapy. 

The comprehensive health report may also include addi- 
ng tional patient-specific information such as the diagnostic 
information and results compiled by the meter, and addi- 
tional diagnostic and health assessment information com- 
piled by the server. For example, the report may include a 
trend analysis showing how cholesterol, blood glucose, and 

20 w^igtit levels have changed over multiple readings. The 
report may also include generally-applicable educational 
information, such as coronary risk factors, dietary guidelines 
for reducing cholesterol levels, diabetes information, cancer 
information, and the like. At present, a patient may have to 

25 undergo a physical examination, pay thousands of dollars, 
and wait weeks to obtain a similar comprehensive health 
report. The network-based comprehensive health analysis 
and reporting system, working in concert with the 
LIFESTREAM cholesterol meter, allows the patient to 

3Q obtain the report within minutes at a fraction of the cost. 
The meter also includes a number of advantageous secu- 
rity features. For example, the meter cannot be activated 
until a user enters a proper activation code. This typically 
requires that the user call the manufacturer, which provides 

35 an opportunity to verify the meter^s authenticity, set up a 
data file for the meter in the health report server, and tell the 
user how to update the meter software, if necessary. If a 
software update is indicated, the user may be instructed to 
activate the meter, initialize a smartcard, load the smartcard 

40 into a computer station, and establish a network connection 
with the health report server. The server can then download 
the new software (e.g., new version of an existing software 
module or a new software module) to the smartcard, which, 
in turn, can be placed back in the meter. The new software 

45 can then be uploaded to the meter. 

The meter may also require validation of all test strips. 
Validation is important for some types of tests because 
readings obtained from each test strip will have to be 
interpreted correctly to obtain correct test results, and the 

50 calibration data used to interpret the readings from different 
lots of test strips may vary significantly. To allow proper 
calibration, each lot of test strips has a corresponding 
memory device, such as a romkey, that must be placed into 
the meter. The romkey includes a code number, an expira- 

55 tion date, and the calibration data for interpreting readings 
from the corresponding test strips. A test strip identification 
number that is mathematicaUy derived from the code num- 
ber is printed on the test strips or their packaging. The user 
must enter the proper test strip identification number into the 

60 meter, which the meter verifies with reference to the code 
number and the expiration date read from the romkey. This 
allows the meter to prevent the use of expired test strips and 
to also prevent test strips fi'om being used in combination 
with incorrect romkeys. 

65 Test strip validation is also an important aspect of one 
btisiness model for deploying the meters. That is, the meters 
themselves may be provided for use at Uttie or no charge to 
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individual paiieats, whereas proprietary test strips will be the display device. The processor contains a program mod- 
sold to generate revenue from use of the meter. This may be ule that obtains the test results from the test strip reader and 
a desirable b\isiness model for deploying the devices causes the display device to display the test results. A data 
because it minimizes the initial cost that an individual drive functionally connected to the processor writes the test 
patient must pay to begin using the device. Having to sell 5 results to a removable memory storage device, such as a 
each device at its full cost, on the other hand, would smartcard. The meter may be packaged in a clam-shell case 
undermine the economic feasibility of using the device in ^^^^ ^P®^ reveal first and second compartments. The first 
many contexts. For this business model, the meter should compartment may contain the enclosure for housing the 
only activate for use with proprietary test strips after vali- disposable test stnp and the holder for removably supporUng 
dation of the test strips. 10 biological fluid or tissue gathering device, and the 
™ , , . . * J . L • 1 second compartment may contain the test strip reader, the 
The meter may also require each smartcard to be mitial- «o!4;„„ A^.ri^^ tu^ a ^ a • 
ized with a personal identification number (PIN). Patient- ,h7da^d?fve 
specific PlNs allow multiple patients to use the same meter, ^ . . . 
and also allows each patient's data to be secure to that To provide acUvation verification, the meter may receive 
patient. That is, only the patient or someone authorized by is >n f^tivation code through the user mput device, compute an 
the patient (i.e.. knowing the patient's PIN) can read the ""'^ "^^'^ °° '^f '"f n«=ti°ns 
medical data stored on the smartcard. In this manner, each ^""'^^'^ j^,^ activation rouUne stored within the meter, 
patient conlrok his or her own medical data, which can be """^ "^''^^'^ "^'^^ ^°"P"'«,'' 
a particularly important attribute for highly sensitive medi- <:o"esponds to the received activation code. In addition, to 
cal data, such as AIDS tests, cancer tests, and the like. 20 Fo^'^* security to a patient s medical data the meter may 

„ „ . , . , determme whether a PIN has been previously stored on the 

Generally described, the invention provides a test stnp for removable memory storage device. If a Pm has not been 

use with a health monitonng device or meter. The test strip, previously stored on the removable memory storage device, 

when carrying a sample of biological fluid or Ussue, may be ^^^^ p^^,^^ ^„ ^o ^ pj^ ^j^^^^g 

read by the meter to obtara test results based on the sample received PIN on the removable memory storage device, 
and calibration data specific to the test strip. Hie test strip « Alternatively, if a PIN has been previously stored on the 

abo corresponds to a memory device that stores a code removable memory storage device, the meter prompte the 

number andthe calibration data, which may also be read by ,„ ^^j^, ^ pjfj_ compares the stored PIN to the received 

the meter. The test strip has an associated test strip identi- p,N, and writes the test results to the removable memory 

fication number that is mathematicaUy derived from the ^^ device only if the stored PIN corresponds to the 

code number and printed on the test strips, the packaging for received PIN 

the test strips, or a tag packaged with the test strips. ^^.^ ^^^^^^ ^^^^^^^^ ^ ^ 

To verify test strips, the meter reads the code number from second type of test strip carrying a second sample of 

the memory device, mathematically derives a test strip biological fluid or tissue and obtaining health-related test 

Identification number corresponding to the code number, results based on the second sample of biological tissue or 

compares the received test stnp identification number to the f^^^ calibration data specific to the second type of test 

derived test strip identification number, and activates the ^trip. In this case, the meter may include a second memory 

meter for use with the test stnp only if the received test strip reading device (e.g., romkey socket) functionally connected 

identification number corresponds to the derived test strip to the test strip reader and operable for reading calibration 

identification number. data from a second memory device (e.g., romkey) corre- 

The memory device may also store an expiration date for spending to the second type of test strip. For example, the 

the test strip, which may be read by the meter. In this case, meter may read both blood lipid test strips and blood glucose 

the meter may activate for use with the test strip only if the test strips. As noted previously, the meter typically includes 

expiration date is prior to a current date read by the meter four romkey sockets that allow the meter to carry and read 
from an internal clock. The memory device may be a romkey 45 four different romkeys. 

that is inserted into a socket housed within the meter. The xhe meter may also prompt the user to enter diagnostic 

romkey is typically packaged with an associated group of information using the user input device, such as gender, 

the test strips, and the test strip identification number is ethnicity, family history of heart disease, personal history of 

typically printed on the test strips, printed on packaging for heart disease, personal history of diabetes, personal history 
the test stnps, or printed on a tag packaged with the test strip, 50 of smoking, height, weight, age, blood pressure, and fitness 

The invention also provides a hand-held health monitor- level. The meter may then perform a diagnostic analysis and 

ing device or meter that includes an enclosure for housing a produce diagnostic results based on the lest results and 

disposable test strip for use with the meter. The meter also diagnostic information, and display diagnostic results. For 

includes a holder for removably supporting a device for example, the diagnostic results may include a medical risk 
gathering a sample of biological fluid or tissue, such as a 55 index, a recommended weight loss, a five-year risk of heart 

finger stick. The meter also includes a test strip reader attack, a ten-year risk of heart attack, a cardiac age, an 

operable for reading the test strip carrying the sample of extended age, and a risk of stroke. 

biological fluid or tissue and obtaining test results based on The invention also provides a system for remotely pro- 

the sample and calibration data specific to the test strip. A ducing health reports. This system includes a health moni- 

memory reading device (e.g., romkey socket) functionally toring device or meter, as described above, a computer 

connected to the test strip reader reads the calibration data station, and a health report server connected with the com- 

from a memory device (e.g., romkey). A user input device, puter station through a network, such as the Internet. The 

such as a key pad, receives user input commands and a meter writes health-related test results to a memory storage 

display device, such as a liquid crystal display, displays device. The computer station reads the test results from the 
information on the meter. 65 memory storage device, establishes a network connection 

The meter also includes a processor that is functionally with the health report server, receives additional diagnostic 

connected to the test strip reader, the user input device, and information from a user, and transmits the test results and the 
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additional diagnostic information to the health report server. involving the medical data to be performed by the testing 
The server, in turn, compiles a health report based on the test device. If the initial monetary balance is sufficient to pay for 
results and the additional diagnostic information and trans- the test, the health monitoring device computes a revised 
mits the health report to the computer station, where the monetary balance by deducting the monetary value assigned 
report may be printed and delivered to the patient. S to performance of the test from the initial monetary balance, 
nie health report may include a trend analysis with test 71="*^ the initial monetary balance with the revised men- 
results compiled for a number of samples, such as total ^'"^ ^^7" °° removable memory storage device, and 
. I ^ 1 1 f * J * ^ activates the health momtonng device for performance of 
cholesterol level and blood glucose level trend reports. The ^j^^ specified service 

additional diagnostic information may include a newly- ™ . . j i i - i j ^ • , j 

prescribed drug and other currenlly-prescribed drugs, and 10 busmess model also mcludes a system .hat mcludes 

the health report may include a data sheet for the newly- °' °^ health momtonng devices described 

prescribed drug and information relating to cross-reactions °' "^f* removable memory storage devices, and 

between the newly-prescribed drug and Uie other currently- " ne work-based server operable for remotely charging a 

prescribed drugs. Tlie health report may also include a target ^°f' '° ' f y^^*"' '=Tf''""8 '° 
weight and total cholesterol levels, a schedule for future 15 balance stored on the removable memory storage device, 

testing using the meter, health assessment summary, a coro- network-based server may also remotely store he 

nary risk assessment, dietary guidelines to lowercholesterol, """"^'"y ^^'Sf*'* '° performance of the test on the 

and other educational information. "^^""^'y ^'0^ gf/^vice. n this case, the health 

_ ^ . J , J M , , . . , . momtonng device reads the monetary value assigned to 

The business model described above is largely dependent performance of the test from the removable memory storage 

on the sale of proprietary test strips for the collection of j^vice. Thus, rate schedules for various services to be 

revenue from end users. That is, the health momtonng performed by the health monitoring device may be changed 

device Itself may be made available to individual paUents at f^^^ ^^^^ ^^^^ ^^sed on quantity discounts or other 

little or no cost, with the sale of proprietary test strips considerations 

providing a major source of revenue for the proprietor of the -^^^^^^^^ -^^^^^^ ^ ^^^^^^ ^^^^^^ ^^^^^^^ 

health momtonng device. As noted previously, this may be n,aintenance system. Although this system is spedficaUy 

a desirable busmess model for deploying the devices ^^^jj^ monitoring device described 

because it mmimizes the imUal cost that an mdiv.dua ,^ ^^^^^ electronic data 

patient must pay to begm using the device. Having to sell ^^^^^ ^ ^^^j^j ^^^^ ^ ^j^^. 

each device at its Ml «)st, on the other hand, would ^^^^ convenient for storing a wide range of electronic 

undemiine the economic feasibihty of using the device in ^^^^^ j^,^ generated remotely from the hospital or doc- 

many contexts. office environment. The secure medical records main- 

Nevertheless, it may also be desirable to provide a health tenance system includes a number of removable memory 

monitoring device that does not rely on the sale of propri- storage devices, which are each operable for storing medical 
etary test strips as a major source of revenue. For example, 3^ data for an associated patient. Each removable memory 

the heaUh monitoring device may be adapted to read non- storage device also stores a patient-specified personal iden- 

proprietary test strips, or may incorporate a reusable and/or tification number (PIN), a medical records identification 

non-invasive testing device, such as an elecU-ode, blood number secured by the PIN, and a patient identification 

pressure monitoring device, sonic testing device, number secured by the PIN. 

theraiomeler, saliva testing device, optical tesUng device, -^he data stored on the removable memory storage device 

and the hke. Of course, a non-mvasive multi-use testing ^ downloadable to a two-server system including a first 

device may be used many times without affording the remote server that stores patient identification infonnation 

propnetor of the health momtonng device an opportunity i^^^exed by patient identification numbers, and a second 

collect revenue associated with each use of the device. remote server that stores patient medical data indexed by the 
To provide an opportunity for the proprietor of the health 45 medical records identification number. For security 

monitoring device to collect revenue based on use of the purposes, the medical data maintained in the second remote 

device, the removable memory storage device may be uti- server cannot be conelated to the associated patient identi- 

lized as a type of "debit card" or payment source for use with fication information maintained in the first remote server 

the health monitoring device. That is, the removable based onthe information contained in the first and second 
memory storage device may be purchased with a monetary 50 remote servers. 

value, or it may have a monetary value that is replenishable Xo aUow conelation of the data stored in the two servers, 

over the Internet using a bank credit or debit card or other the secure medical records maintenance system includes a 

conventional payment source. The health monitoring device correlation table uniquely associating each medical records 

may then deduct the cost of perfonning particular services identification number with a particular one of the patient 
from the monetary value represented by the monetary bal- 55 identification numbers. The correlation table for a particular 

ance stored on the removable memory storage device. In patient typically resides on the patient's removable memory 

other words, the health monitoring device may be config- storage device. The correlation table for a practitioner's 

ured to activate for the performance of a service upon patients may also reside on the practitioner's computer, such 

deducting a charge for the service from a monetary value as a doctor's or pharmacist's computer, that is associated 

stored on a removable memory storage device inserted into with a hcenscd medical practitioner having an assigned 

the device. professional registration number. For further security, the 

This business model includes a health monitoring device first and second remote servers are accessed by the practi- 

operable for obtaining medical data associated with a patient tioner's computer through encrypted communications 

and reading an initial monetary balance stared on a remov- secured by an application procedure that includes validation 
able memory storage device. The health monitoring device 65 of the practitioner's registration number. The application 

determines whether the initial monetary balance is sufficient procedure may be further secured by receipt and validation 

to pay a monetary value assigned to performance of a test of a practitioner-suppUed PIN. Moreover, the application 
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procedure typically includes issuance of a client certificate FIG. 11 is a logic flow diagram illustrating a routine for 

insuring that access to the first and second remote servers computing immediate cholesterol- related diagnostic results 

occurs from the same practitioner's computer and browser for a health monitoring and diagnostic device, 
that initiated the appUcation procedure. pjc 12 is a logic flow diagram illustrating a routine for 

Because the data on the servers is separate and secure 5 remotely producing health reports, 
from each other, access may be granted to either server ^3 ^3 ^ ^^gic flow diagram fllustrating a routine for 

without idenUfymg any particular patient s medical data. ^^^^ j^.^ical data to a PIN-secured removable memory 
For example, access may be granted to the first remote ^^^^^^ fo, ^ ^^^^ monitoring and diagnostic 

server, but not to the second server, for the purpose of device 
generating a mailing list of patients without divulging any 10 ^ 

medical data associated with the paUents. Similarly, access ^ functional block diagram of a system for 

may be granted to the second remote server, but not to the ^^^^S ^ ^^^^^^ momtonng and diagnostic device in connec- 
first server, for the purpose of conducting investigative " ^^^^^ ^^^^^ maintenance system, 

analyses involving the medical data without divulging any PI^- software architecture diagram illustrating a 

patient identification information associated with the 15 system for conducting secure communications between a 

patients. health monitoring and diagnostic device and a secure medi- 

For further data security and because each removable '^^^^''^^ maintenance system, 

memory storage device only has a limited data storage PIG, 16 a functional block diagram illustrating security 

capability, the medical data stored on each removable aspects of a secure medical records maintenance system, 
memory storage device may be automatically erased from 20 pjo, 17 is a logic flow diagram iUustrating a process for 

the memory storage device after the data is entered into the a communicating with a secure medical records maintenance 

second remote server. To obtain the medical data, the system. 

removable memory storage device is receivable within a piQ. 18 is a logic flow diagram illustrating a process for 

hand-held health monitoring device operable for storing the applying for access to a secure medical records maintenance 
medical data on the removable memory storage device. And 25 ^y^t^ju 

to download the medical data to the medical records main- ^li-^ in v„i„ . -n * *• *• 

J . . FIG. 19 is a logic flow diagram lUustratmg a process for 

tenance system, the removable memory storage device is 1 • * j- f j - . 

. , / j.^ . J. logging mto a secure medical records maintenance system, 

receivable within a computer operable for reading the medi- ^^ ^.^ . . ^ . ^ 

cal data and transmitting it to the second remote server over ^0 is an lUustratioa of a "switchboard" user interface 

the Internet 30 ^ secure medical records maintenance system. 

That the invention improves over the drawbacks of health 21 is an flluslration of an "address" user interface in 

monitoring and diagnostic systems and accomplishes the ^ secure medical records maintenance system, 
advantages described above will become apparent from the FIG. 22 is an illustration of a "billing information" user 

following detailed description of the exemplary embodi- interface in a secure medical records maintenance system, 
ments and the appended drawings and claims. fig, 23 is an illustration of a "cover letter" user interface 

BRIEF DESCRIPTION OF THE DRAWINGS i° ^ ^^^e medical records maintenance system. 

HG. lAis a front view of a hand-held health monitoring . ^^9' ^4 is an fllustration of a "patient selection" user 

and diagnostic device in an open position. ^^^^^^^^ ^° ^ ^^^^ "^^^^^^^ ^^^^ mamtenance system. 

FIG. IB is a rear view of the hand-held health monitoring 40 FIG. 25 is an lUustration of a "patient information" user 

and diagnostic device of FIG. 1 in an open position. interface in a secure medical records maintenance system. 

FIG. 2 is a block diagram illustrating a system for FIG- 26 is an fllustration of a "questionnaire data" user 

remotely producing health reports. interface in a secure medical records maintenance system. 

FIG. 3 is a functional block diagram of a health moni- FIG. 27 is an illustration of a "generate reports" user 

toring and diagnostic device. interface in a secure medical records maintenance system. 

FIG. 4 is a logic flow diagram iUustrating a routine for FIG, 28 is an fllustration of typical health assessment 

activating a health monitoring and diagnostic device, charts generated by a secure medical records maintenance 

FIG. 5 is a logic flow diagram illustrating a routine for system, 
computing an activation code for a health monitoring and FIG. 29 is an fllustration of an additional health assess- 

diagnostic device. ment chart generated by a secure medical records mainte- 

FTG. 6 is a logic flow diagram iUustrating a routine for nance system, 
verifying a test strip for a health monitoring and diagnostic piG, 30 is a logic flow diagram fllustrating a routine for 

device. adding a monetary value to a smartcard for use with a health 

FIG. 7 is a logic flow diagram iUustrating a routine for 55 monitoring device, 
computing a test strip identification number for a health pjc. 31 is a logic flow diagram fllustrating a routine for 

monitoring and diagnostic device. ^sing g smartcard to pay for a service provided by a health 

FIG. 8 is a logic flow diagram iUusU^ating a routine for monitoring device, 
entering diagnostic program modules into a health monitor- 
ing and diagnostic device. DETAILED DESCRIPTION OF EMBODIMENTS 

FIG. 9 is a logic flow diagram iUustrating a routine for OF THE INVENTION 

computing immediate diagnostic results in a health moni- „ . . , 

toring and diagnostic device, and for remotely producing Hand-Held Health Momtonng and DiagnosUc 

health reports. ^^"^"^ 

FIG. 10 is a logic flow diagram fllustrating a routine for 65 Turning now to the figures, in which like numerals refer 

obtaining cholesterol-related diagnostic information for a to like elements through the several figures, FIG. lA is a 

health monitoring and diagnostic device. front view of a hand-held health monitoring and diagnostic 
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device 10, which is also referred to as a meter or a 
LIFESTREAM cholesterol meter. The meter 10 is housed in 
a clam-shell case 12 including a first compartment 14 and a 
second compartment 16. The case 12 may be opened, as 
shown in FIG. lA, or closed about a hinge 18. This allows 
a patient to close the meter 10 for transportation or storage, 
and then easily open it for use. When in use, the patient may 
place the meter 10 in the open position on a flat surface, such 
as a table or seat, or hold the meter by hand. 

Although the meter 10 is shown in a hinged clam-shell, 
hand-held configuration, it could alternatively be embodied 
in other configurations, such wall-mounted, built into a 
movable cart, built into a desktop computer, built into a fixed 
podium, and so forth. In addition, the hinged clam-shell case 
could be replaced by a non-hinged case, a separable multi- 
piece case, a case with a pull-out drawer, a case with a flat 
cover, a meter that fits into a separate zippcred case, and 
other types of single- or multi-piece configurations. Many 
other variations of the meter case configuration will be 
apparent to those skilled in the art. 

The first compartment 14 includes a holder 18 for remov- 
ably supporting a biological sample gathering device, in this 
instance a conventional springloaded finger stick 20. 
Although the holder 18 is shown as a clip with two arms that 
fit snugly against the finger stick 20, the holder may have 
any other configuration suitable for removably supporting 
the finger stick, such as a channel into which a pencil-like 
finger stick is inserted, an op en able enclosure, snaps, a 
VELCRO fastener, and the like. If samples other than blood 
are to be gathered, the first compartment 14 could alterna- 
tively house other types of biological sample gathering 
devices, such as a skin sample collector, a saliva collector, 
a stool sample collector, and so forth. In addition, the meter 
10 may include other types of instruments for gathering test 
data, for example the meter may be adapted to read non- 
proprietary test strips, or may incorporate a reusable and/or 
non-invasive testing device, such as an electrode, blood 
pressure monitoring device, sonic testing device, 
thermometer, saliva testing device, optical testing device, 
and the like. 

The first compartment 14 also includes an openable 
enclosure 24 for storing one or more packages 26 of dis- 
posable items. Specifically, each package may contain a test 
strip 28, a needle 29 for the finger stick 20, and an alcohol 
swipe 30. These disposable items are tailored for one-time 
use with the finger stick 20. If the meter 10 includes 
biological sample gathering devices other than the finger 
stick 20, other types of disposable items may be stored in the 
enclosure 24. In addition, the enclosure 24 may have other 
configurations suitable for storing or holding disposable 
items, such as a drawer, a tilting channel, a clip, and so forth. 

The second compartment 16 houses the electronic com- 
ponents of the meter 10, including a lest strip reader 32, a 
display device 34, a user input device 36, and one or more 
memory reading devices 3Sa-<i, Each of these memory 
reading devices is configured to receive a corresponding 
memory device 40a— d. The second compartment 16 also 
includes an instructional label 42 located adjacent to the 
display device 34. Internally, the second compartment 16 
houses a motherboard, an analyzer board, and a data drive 
that control the functionality of the meter 10. These internal 
components are described with reference to FIG. 3, and the 
functionality of the meter 10 is described with reference to 
FIGS. 4-13. Additional functionality of the meter for use 
with a deb it -card type payment system is described with 
reference to FIGS. 30-31. 

The test strip reader 32 may be a GLUCOTREND Basic 
TIM (test instrument modide) assembly No. 1739905-741 
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manufactured by Boehringer Mannheim, Roche Diagnostics 
GmbH, This is a commercially-available optical test strip 
reader suitable for reading chemical test strips carrying 
human blood samples and producing either blood glucose 

5 readings, total cholesterol readings, or both. Alternatively, 
other suitable types of test strip readers may be included in 
the meter 10, and multiple test strip readers may be included 
in the meter, if appropriate. This may be desirable, for 
instance, if biological samples other than blood are to be 
analyzed by the meter. The meter 10 may be configured with 
additional reusable and/or no n- invasive testing devices, such 
as an electrode, blood pressure monitoring device, sonic 
testing device, thermometer, saliva testing device, optical 
testing device, and the like. 

The display device 34 may be a conventional Uquid 
crystal display (LCD) configured to display at least two lines 
of text including at least 14 characters per line. This visual 
display works in concert with a speaker 35 that beeps to 
convey audible messages. The speaker may also produce 
other types of audible messages, such as tones, recorded 

20 messages, a simulated human voice, and the like. The meter 
10 may also include other types of visual display devices, 
such as an electronic capacitive matrix, a small video 
display, or other types of suitable visual display devices. The 
meter 10 may also include a jack for connecting the meter 

25 to external display devices, such as a computer monitor or 
video display. 

The user input device 36 may be a keypad with a first key 
section 44 and a second key section 46. The first key section 
44 includes four keys, a "scroll" key, a "yes" key, a "no" key 

3Q and an "enter" key. The second key section 46 includes 
twelve keys, including ten numerical keys, a "clear" key, and 
an "on/off" key. The user input device 36 may include other 
key patterns and other types of user input devices, such as 
a touch-sensitive screen, a voice -recognition device, or other 

35 input devices. The meter 10 may also include a jack for 
connecting the meter to external input devices, such as a 
keyboard or joystick. 

The memory reading devices ZHa—d may be romkey 
sockets, and the memory devices 4Qa-d may be romkeys 

40 that removably insert into the sockets. As shown in FIG. lA, 
the meter 10 preferably includes four romkey sockets. 
Nevertheless, the meter 10 could also be configured with 
only one socket becatise the romkeys themselves are remov- 
able. The romkeys, which store identification, expiration, 

45 and calibration data for a corresponding lot of test strips 28, 
are desirable because they arc small, may be easily packaged 
with the corresponding test strips, and have an adequate 
amount of computer-readable memory. But the romkey 
sockets may be replaced by a magnetic card reader, an 

50 optical reader, or another reader suitable for use with a 
memory storage device that can be easily shipped with a 
corresponding lot of test strips 28 and has an adequate 
amount of computer-readable memory. 

The instructional label 42 located adjacent to the display 

55 device 34 typically includes instructions for entering diag- 
nostic information into the meter 10. This label may also 
include instructions for using the meter 10 in concert with a 
remote health report system, which is described with refer- 
ence to FIG, 2. As this type of information may be under- 

60 stood best when explained by a physician or pharmacist, the 
instructional label 42 may be included on meters provided to 
physicians and pharmacists, but may be excluded from 
meters provided for home use by individual patients. The 
programmed functionality of the meter may also be adjusted 

65 accordingly. 

To use the meter 10, a patient first opens the meter and 
removes the finger stick 20 and the package of disposable 
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items 26. The palienl then opens the package, installs the 
needle 29 in the finger stick 20, and wipes the alcohol swipe 
30 on the area of the finger to be stuck witlf the needle. The 
patient also inserts the correct romkey for the test strip 28, 
represented by the romkey ^Od, into a corresponding $ 
romkey socket 38d and manipulates the keypad 44, 46 to 
indicate to the meter 10 which romkey socket contains the 
correct romkey. The patient then sticks the selected finger 
with the finger stick 20, places a droplet of blood 44 on an 
indicated area of the test strip 28, and inserts the test strip 28 
into the test strip reader 32. 

The user then manipulates the input device 36 by follow- 
ing prompts displayed on the display device 34 to complete 
the test. Within minutes, the meter 10 completes the test and 
displays the test results, such as total cholesterol levels, 
blood glucose levels or another testing service provided by 
the meter, on the display device 34. If appropriate, the user 
may also manipulate the input device 36 to enter additional 
diagnostic information into the meter, such as gender, 
ethnicity, family history of heart disease, personal history of 
heart disease, personal history of diabetes, personal history 
of smoking, height, weight, age, blood pressure, and fitness 
level. Within minutes, the meter 10 performs a diagnostic 
analysis and produces diagnostic results, such as a medical 
risk index, a recommended weight loss, a five-year risk of 
heart attack, a ten-year risk of heart attack, a cardiac age, an 
extended age, and a risk of stroke. These diagnostic resuUs 
are also immediately displayed on the display device 34. 

For a blood lipid or cholesterol test, the well-known 
Framingham Medical Study may provide the methodology 30 
used by the meter 10 to produce the diagnostic results from 
the test results and the diagnostic information. Other 
methodologies, such as those sanctioned by the National 
Cholesterol Education Program, the American Heart 
Association, the American Medical Association, or another 35 
appropriate organization may also be used. In fact, the meter 
10 may allow the user to select among several alternative 
diagnostic program modules stored within the meter. These 
diagnostic program modules may be updated firom time to 
time, and new diagnostic program modules may be added to 40 
the meter 10 through the data drive, which is described 
below. 

FIG. IB is a rear view of the meter 10, which shows the 
outside of the meter. The outside of the first compartment 14 
includes the manufacturer's name, Lifestream Technologies, 45 
Inc., and the meter's trademark, LIFESTREAM. The outside 
of the second compartment 16 includes a data drive 50, 
which includes an opening 52 for receiving a removable 
memory storage device 54. For example, the data drive 50 
may be a smartcard drive, such as an STM IC: 50 
MC33560ADW manufactured by Motorola, and the remov- 
able memory storage device 54 may be a smartcard usable 
with this drive. This smartcard typically includes an elec- 
trical contact 56 for reading and writing data and a small 
microprocessor 58, which typically controls security aspects 55 
of the smartcard. Specifically, the smartcard includes a 
PIN-protected secure memory and an unsecure memory. The 
microprocessor 58 controls the PIN and any other function- 
ality resident on the smartcard. 

The smartcard is an advantageous memory storage device 60 
because of its small size, its on-card PIN security feature, 
and its on-board programmable processing unit. Moreover, 
it is expected that smartcards will become increasingly 
popular in the near future, and most personal computers will 
come with factory-instaUed smartcard drives. Nevertheless, 65 
the meter 10 could include other types of data drives, such 
as a floppy disk drive, an optical disk drive, a removable 
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RAM chip, or any other suitable type of removable memory 
storage device. Furthermore, the meter 10 could also include 
a wire -line data port for connecting a cable or another 
computer station in addition to or as an alternative to the data 
drive. Similarly, the wire-line data port could be replaced by 
a wireless communication device, such as a radio -frequency 
link, a laser link, an infra-red link, and so forth. 

The second compartment 16 also includes a battery enclo- 
sure 60 housing a removable battery 62 for powering the 
meter 10. The battery 60, which may be a disposable 9 Volt 
battery, may be replaced or augmented by an A/C power 
cord and an appropriate power inverter. The battery 60 also 
be replaced by a rechargeable battery augmented with a 
battery charger that may be located within the meter 10 or 
in a separate enclosure, such as a storage container for 
housing the meter when it is not in use. 

Remote Health Report System 

FIG. 2 is a block diagram illustrating a system 100 for 
remotely producing health reports. The PIN-securable 
smartcard described above allows multiple patients to use 
the same meter, and also allows each patient to control 
access to his or her medical data. The smartcard is typically 
used as a temporary storage location for one or several test 
results. From time to time, each patient is expected to 
download the medical data contained on his or her smartcard 
to a health report server 102 for permanent storage. The 
smartcard is then erased (except for the PIN and any other 
security information contained in the secure memory), 
which frees the memory space for new medical data. The 
smartcard may also be used to receive new program modules 
or new versions of program modules from the health report 
server 102 and upload these program modules to the meter 
10. 

The system 100 includes the meter 10, which downloads 
medical data to the removable memory storage device 54. 
This medical data typically includes patient identification 
information, test results generated by the meter, diagnostic 
information entered into the meter 10 by the patient, and the 
diagnostic results 104 computed by the meter and immedi- 
ately displayed on the meter at the time of the test. If the 
removable memory storage device 54 is a smartcard, it may 
then be placed in a converter, such as a conventional 
smartcard-to -floppy-disk converter 106, which can be 
directly inserted into a computer station 108. The converter 
106 will be unnecessary, of course, if the computer station 
108 includes a smartcard drive, or if another communication 
mechanism is employed to transmit information between the 
computer station 108 and the meter 10. 

Once the medical data arrives at the computer station 108, 
it establishes a network connection with the health report 
server 102, typically over the Internet 110. The medical data 
is then transmitted to the health report server 102, which 
may also prompt the user for additional diagnostic and 
health report information. Specifically, the health report 
server 102 typically works in concert with the patient's 
physician or pharmacist, who may provide additional diag- 
nostic information to the server, such as a newly-prescribed 
drug therapy, other currently-prescribed drugs for the 
patient, exercise and dietary recommendations, and so forth. 
Within minutes, the health report server 102 assembles a 
comprehensive health report 112 that is transmitted back to 
the computer station 108, where it may be printed on a local 
printer 114. User access procedures and a menu -driven user 
interface system for generating the health reports is 
described with reference to FIGS. 17-29. 
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The comprehensive health report 112 typically includes a 
data sheet for the newly -prescribed drug, cross-reaction 
information for the newly-prescribed drug and the other 
currently-prescribed drugs, weight and total cholesterol 
goals, exercise and dietary recommendations, any food or 5 
activity warnings associated with the overall therapy 
package, and recommendations for on-going monitoring 
using the meter. This provides a complete written record of 
the patient's current condition, the therapy prescribed by the 
physician and filled by the pharmacist, and a roadmap for lo 
monitoring the patient's progress during the ensuing 
therapy. 

The comprehensive health report may also include addi- 
tional patient -specific information, such as the diagnostic 
information and results compiled by the meter, and addi- 15 
tional diagnostic and health assessment information com- 
piled by the server. For example, the report may include a 
trend analysis showing how blood lipid, blood glucose, and 
weight levels have changed over multiple readings. The 
report may also include generally-applicable educational 20 
information, such as coronary risk factors, dietary guidelines 
for reducing cholesterol levels, diabetics information, cancer 
information, and the like. At present, a patient may have to 
undergo a physical examination, pay thousands of dollars, 
and wait weeks to obtain a similar comprehensive health 25 
report. The network-based comprehensive health analysis 
and reporting system, working in concert with the 
LIFESTREAM cholesterol meter, allows the patient to 
obtain the report within minutes at a fraction of the cost. 

The Internet 10 allows a wide variety of users to access ^0 
the health report server 102, which allows meters to be 
deployed in a variety of settings. For example, the accessing 
computer stations may include a physician's computer sta- 
tion 116, a pharmacist's computer station 118, an individu- 
al's computer station 120, and many others. This will allow 35 
meters to be effectively deployed for multi-patient use in 
cHnics, physicians' ofiSces and pharmacies, as well as for 
individual patient or family use in the privacy of their own 
homes. 

40 

Functional Operation of the Meter 

FIG. 3 is a functional block diagram of the health moni- 
toring and diagnostic device 10, which is also referred to as 
a meter. The meter includes an analyzer board 150, a mother 
board 152, a memory reading device 154 including the 45 
romkey sockets 3Sa-d and corresponding romkeys 40fl-<i, 
and a user interface 156 including the display device 34, the 
speaker 35, and the input device 36. The memory reading 
device 154 and the user interface 156 were described with 
reference to FIG. lA. Although the analyzer board 150 and 50 
the mother board 152 may be configured as two separate 
integrated circuit boards, alternatively they may be com- 
bined into a single integrated circuit board, or deployed on 
more than two integrated circuit boards. 

The analyzer board 150 may be part of the GLU- 55 
COTREND Basic TIM (test instrument module) assembly 
No. 1739905-741 manufactured by Boehringer Mannheim, 
Roche Diagnostics GmbH. This board includes the test strip 
reader 32, which was described with reference to FIG. lA, 
a test instrument module 158, and a romkey driver 160. The 60 
test strip reader 32 reads the test strip 28 carrying the blood 
sample 44. The romkey driver 160 reads the calibration data 
for the test strip 28 from a corresponding romkey, such as the 
romkey 4Qd, and the test instrument module 158 computes 
the test results from the test strip reading and the calibration 65 
data. These test results are then passed lo the motherboard 
152. 



The motherboard 152 includes a non-intemiptible battery 
162, such as a hthium battery. The non-interruptible battery 
162, which powers the on-board to clock 164, is distinct 
from the power supply battery 62 (shown on FIG. IB). The 
additional non-interruptible battery 162 allows the clock to 
continue functioning even when the power supply battery 62 
runs do\m or is removed from the meter 10. The mother- 
board 152 also includes a processor 166 and a memory 168 
that control the functionality of the meter 10. Specifically, 
the memory 168 stores and the processor 166 implements a 
meter activation routine, test strip verification routine, diag- 
nostic routines, and a read/write security routine. These 
program modules are described with reference to FIGS. 
4-13. The motherboard 152 also includes a data drive 170 
that reads data from and writes data to the removable data 
storage device 54, such as a smartcard. 

The mother board processor 166 may be a 40-pin DIP 
CPU Model No. MC68HC705C9ACP manufactured by 
Motorola. The data drive 170 may be a STM IC Model No. 
MC33560ADW ISO read/control card manufacmred by 
Motorola, supported by an ISO Card Socket, Model No. 
145206-3 physical interface manufactured by AMP. 
However, any of these specific devices may be replaced by 
equivalent devices capable of performing the functionality 
of the meter 10 described in this specification. 

To verify test strips, the romkey driver 160 reads a code 
number from a romkey, such as the romkey 40d, installed in 
the meter 10. The code number typically includes the lot 
number for the corresponding test strips and a test type ID 
stored on the romkey by the manufacturer of the meter 10. 
The test strip 28 has an associated test strip identification 
number 172 that is mathematically derived from the code 
number and printed on the test strip itself, the packaging for 
the test strip, or a tag packaged with the test strip. The meter 
10 prompts the user to enter the test strip identification 
number 172 into the meter using the keypad 46. 

The meter 10 also reads the code number from the 
memory device, mathematically derives a test strip identi- 
fication number corresponding to the code number, com- 
pares the received test strip identification number to the 
derived test strip identification number, and activates the 
meter for use with the test strip only if the received test strip 
identification number corresponds to the derived test strip 
identification number. The romkey 40d also stores an expi- 
ration date for the corresponding test strip 28. The meter 10 
reads the expiration date and activates for use with the test 
strip 28 and the romkey 40d only if the expiration date is 
prior to a current date read by the meter from the internal 
clock 164. 

FIGS. 4-14 are logic flow diagrams illustrating examples 
of the functionality that may be implemented by the meter 
10 and the system 100 for remotely generating health 
reports. The following description of these logic flow dia- 
grams wiU also refer to the elements shown on FIGS. 2 and 
3. It should be understood that these examples illustrate the 
use of these components in producing total cholesterol tests 
and related health reports. In particular, the specific diag- 
nostic information gathered and the specific diagnostic 
results described are those associated with the weU-known 
Framingham Medical Study, which is incorporated herein by 
reference. Although this particular program module iUus- 
trates the operation of an illustrative embodiment of the 
invention, those skilled in the art will understand that the 
meter 10 and the system 100 could be programmed with 
additional and different program modules. 

In addition, as the meter 10 is configured with multiple 
romkey sockets and programmed to accept additional pro- 
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gram modules in the future, it will be appreciated that 
similar functionality may be implemented in the future for 
blood glucose tests and diabetes-related health reports, 
AIDS tests and related health reports, cancer tests and 
related health reports, and so forth. Additional functionality 
of the meter 10 for use with a debit-card type payment 
system is described with reference to FIGS. 30-31. 

Meter Activation 

FIG. 4 is a logic flow diagram illustrating a routine 400 for 
activating the meter 10. This routine requires that a user 
enter a proper activation code to activate the meter 10. This 
typically requires that the user call the manufacturer, which 
provides an opportunity to verify the meter's authenticity, 
set up a data file for the meter in the health report server, and 
tell the user how to update the meter software, if necessary. 
If a software update is indicated, the user may be instructed 
to activate the meter, initialize a smartcard, load the smart- 
card into a computer station, and establish a network con- 
nection with the health report server. The server can then 
download the new software (e.g., new version of an existing 
software module or a new software module) to the smartcard 
54, which, in turn, can be placed back in the meter 10. The 
new software can then be uploaded to the meter. 

In step 402, the meter 10 is programmed at the factory by 
setting the internal clock 164 to the correct date and storing 
an activation code algorithm within the meter. Step 402 is 
followed by routine 404, in which the activation site, typi- 
cally the manufacturer, computes an activation code for the 
current day. That is, each day the activation site computes a 
new activation code that is vaUd only for that day. The 
activation code is computed using the same algorithm that 
was stored in the meter 10 in step 402. This algorithm is 
described below with reference to FIG. 5. 

Step 404 is followed by routine 406, in which the acti- 
vation site receives an activation communication for the 
purpose of activating a meter 10. The user of the meter 
typically places this communication by placing a telephone 
call to a telephone number (e.g., a "1-800" or other loll-free 
telephone number) on the meter or on the packaging or 
documentation provided with the meter. Step 406 is fol- 
lowed by routine 408, in which the activation site delivers 
the activation code for the current date to the calling user. 
Step 408 is followed by routine 410, in which the calling 
user enters the activation code into the meter 10 by manipu- 
lating the user input device 36. 

Step 410 is followed by step 412, in which the meter 10 
verifies the received activation code by computing an acti- 
vation code using its on-board activation code algorithm and 
the current date read fi^om its internal clock 164. In doing so, 
the meter 10 uses the same algorithm that was used by the 
activation site to compute the activation code that was 
delivered to the user and entered into the meter (i.e., the 
algorithm described with reference to FIG. 5). Step 412 is 
followed by routine 414, in which tbe meter 10 compares the 
received activation code to the computed activation code. 
Step 414 is followed by routine 416, in which the meter 10 
determines whether the activation is verified by determining 
whether the received activation corresponds to the computed 
activation code. 

If the activation is not verified, the "NO" branch is 
followed from step 416 to step 418, in which the meter 10 
determines whether a timeout condition or an allowed 
number of tries has been reached. If a timeout condition or 
an allowed nimiber of tries has not been reached, the "NO" 
branch loops from step 418 to step 410, and the meter 10 
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displays an error and prompts the user to reenter the acti- 
vation code. If a timeout condition or an allowed number of 
tries has been reached, the '*YES^' branch is followed from 
step 418 to the "END" step, and the meter 10 is not 
S activated. 

Referring again to step 416, if the activation is verified, 
the "YES" branch is followed from step 416 to step 420, in 
which the meter 10 is activated. Step 412 is followed by the 
"END" step, in this case with the meter 10 activated. 

FIG. 5 is a logic flow diagram illustrating a routine 404 for 
computing an activation code for the meter 10 or the 
activation site, referred to collectively below as the "com- 
puting entity." Routine 404 begins following step 402 shown 
on FIG. 4. In step 502, the computing entity gets the day, 
month, and year (six digit decimal) from the internal clock 
164. Step 502 is followed by step 504, in which the 
computing entity combines the six digits defining the date 
into a hex value (six digit hex). Step 504 is followed by step 
506, in which the computing entity applies a predetermined 

'^^ mathematical operation to this hex value to compute a new 
hex value (new six digit hex). 

Step 506 is followed by step 508, in which the computing 
entity applies a mask to the new six digit hex value to obtain 
a four digit hex value (new four digit hex). In other words, 
the computing entity selects a predetermined four of the six 
digits for further processing. Step 508 is followed by step 
510, in which the computing entity converts this new four 
digit hex value to a decimal value (four digit decimal value). 
Step 510 is followed by step 512, in which the computing 
entity relocates one or more of the digits and adds one or 
more nuU numbers at predefined locations (new four digit 
decimal value). Step 512 is followed by step 514, in which 
the computing entity uses the resulting new four digit 

2^ decimal number as the activation code. Step 514 is followed 
by the "RETURN" step, which goes to step 406 on FIG. 4. 

The mathematical operation applied in step 506 may be 
any of a variety of algorithms designed to quasi-randomize 
the result. For example, the digits may be grouped into 

40 subsets that, in turn, are used in one or more linear math- 
ematical operations, such as addition, subtraction, 
multiplication, division, raising to a power, raising to a 
fraction, and the fike. For example, a polynomial formula 
may be applied to the digits or subsets of the digits. The digit 

45 shufi^ng operation applied in step 512 is also applied to 
quasi-randomize the resuU. Many other types of quasi- 
randomizing methodologies will be apparent to those skilled 
in the art. 

Test Strip Validation 

50 

FIG. 6 is a logic flow diagram fllustrating a routine 600 for 
verifying a test strip for the meter 10. In step 602, the meter 
10 is programmed at the factory with a test strip validation 
algorithm. Step 602 is followed by step 604, in which a 

55 romkey with a corresponding lot of test strips is pro- 
grammed with a test type ID. This test type ID, together with 
a lot number for the test strips placed on the romkey by the 
test strip manufacturer, forms a four-digit code number that 
is resident on the romkey when it leaves the factory. 

60 Step 604 is followed by routine 606, in which a test strip 
ID is mathematically derived from the romkey code number. 
Routine 606 is described below with reference to FIG. 7. 
Routine 606 is followed by step 608, in which the test strip 
ID is printed on the lot of test strips corresponding to the 

65 romkey, on the packaging for the test strips, or tags that are 
packaged with the test strips. The test strips are then 
packaged with corresponding romkeys and distributed for 
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use with various meters. It should be understood that many which the meter 10 uses the resulting four digit decimal 

identical romkeys may be produced for each lot of test strips number as the test strip ID. Step 714 is followed by the 

because one romkey is included in each distribution-sized "RETURN" step, which goes to step 608 on FIG, 6. 

package, and a production-sized lot of test strips may be The mathematical operation applied in step 706 may be 

many times larger than a distribution-sized package. s any of a variety of algorithms designed to quasi-randomize 

Step 608 is followed by step 610, in which the user of a '^^^l' ^"^^ example, the digits may be grouped into 
meter 10 puts a romkey into the meter and enters the ^^^^.^ "^^^ one or more linear math- 
corresponding test strip ID into the meter using the user operations, such as addition, subtraction, 
input device 36. TOs is the test strip ID that was printed on mulUphcation division raising to a power, raising to a 
lu 7 " 7 " , , A ',i ,u , . in fracUon, and the like. For example, a polynomial formula 
the test stnp 1^ packaging, or a tag packaged with the test 10 ^J^^ of the digits. The digit 
strip m step 608. Step 610 is foUowed by step 612, m which ^^ufiQing operation appUed in steps 708 and 710 is afio 
the meter 10 gets the current date from the mtemal clock applied to quasi-randomize the result. Many other types of 
164, reads the code number and expiration date from the quasi-randomizing methodologies will be apparent to those 
romkey, and computes a test strip ID number based on the skilled in the art. 
code number. The test strip ID number is derived from the • n i: 
code number using the same algorithm that was used to lagnos ic a a t-n ry 
compute the test strip ID number at the factory in routine FIG. 8 is a logic flow diagram illustrating a routine 800 for 
505 entering diagnostic program modules into the meter 10. In 

step 612 is followed by step 614. in which the meter 10 ^'*P the meter 10 is programmed at the factory with one 
determines whether the current date isprior to the expiration ^ °' "^^'^ "Pf^ diagnosttc algorithms. In addition, a corn- 
date read from the romkey. If the current date is not prior to P"'^' maintained at the programmmg site, ypically the 
the expiration date read from the romkey, the "NO" branch ^^^i^!'^^^' ^ programmed with a cross reference table 
is followed to the "END" step, and the meter is not activated 'ndi«=/""ig/be senal number for the meter and the version 
for use with the instant romkey. If the current date is prior °^ diagnostic program module mstalled m the 
to the expiration date read from the romkey, the "YES" 25 me r . 

branch is followed to step 616, in which the meter 10 ^t some later pomt, a user downloads medical data from 

compares the received test strip (input by the user) to the '^e meter 10 to a smartcard m the course of normal meter 

computed test strip ID (derived from the code number read '"^^'^ ^ 

from the romkey). Step 616 is foUowed by step 618, in ^'o^"* °" smartcard. The smartcard is then read by a 

which the meter 10 verifies the test strip if the received test ^° conaputer station, which establishes a network connecUon 

strip corresponds to the computed test strip ID. ^"^ » programming server, which may be the same as, or 

, t . L «-.^r„. L u . coordinated with, the health report server 102 shown on 

f the meter 10 verifies the test stnp, the YES branch is j. At step 804, the programming server receives the 

followed from to step 618 to step 622, in which the meter 10 ^^^^ ^^^^^ ^^^^^^ ^„ ^^^^ smartcard. Step 804 is followed 

activates for use with the mstant test stnp and romkey. Step , „ ■ - . • ^r„,^, «u„ 

iti-i ■ f n *u «T7VTT-k» * jf,u * lAj * by step 806, m which the programmmg serverinstnicts the 

622 IS followed by the "END" step. If the meter 10 does not , ^.t. c*™^ 

, ... ^<xT^., . . ' ,1 11- . computer station to erase the unsecured data stored on the 

verify the test stnp, the NO branch is followed from step _*jti.* *u * *u j-i 

^^n. • 1-1 1 1 . • 1 smartcard. That IS, the computer station erases the medical 

618 to step 620, in which the meter 10 determmes whether ' 7,^™^ . u„* a^^^ 

^ , , . , , data stored m the unsecure memory but does not erase the 

a timeout condition or an allowed number of tnes has been nixi j * * j * *l 

, „ , , PIN or any data stored in the secure memory, 
reached. If a timeout condmon or an allowed number of tries ^„ o^v^ • „ . • ... 
. . . u J 4U i(KT/^« u L 1 f * Step 806 is followed by step 808, in which the program- 
has not been reached, the NO branch loops irom step 620 . ^ , . . . r . ^/^ r . 
t« of«« A tK^ r^^t^. 1 ft ^;o«i.„o o« o7^r ^r.A «™«to ^^E> scFver gets the serial number for the meter 10 from the 
to step 610, and the meter lU displays an enor ana prompts • , , . , , , , r- 
tu^ #^ t^ci ^t.ir. fn ^«^/«^ tulr^^^l^t received data and looks up the version numbers for the 
the user to reenter the test strip lU and/or insert the correct . . .r.. or,^ 
romkey. If a timeout condition or an allowed number of tries diagnostic program modules installed on the meter. Step 808 
has been reached, the "YES" branch is followed from step If ^^^^^^^ f'^ f/^*^' the programmmg server 
<c->A «K« "CKm» ^t^« r^^A tKo ™to. 1ft .-c ««t .^iUrnf^A fZ determines whether the meter 10 includes the latest version 
620 to the END step, and the meter 10 is not activated lor i, i , . . i j , • . n j 

■ ^ , , , , • A 1 of all of the program modules that should be installed on the 

the instant test stnp and romkey. ^ t^.u 7 ia * i ^ *u i » * • p n f*u 

^ meter. If the meter 10 includes the latest version of aU of the 

Test Strip ID Assignment program modules that should be installed on the meter, the 

"YES" branch is followed to the "END" step, and the meter 

FIG. 7 is a logic flow diagram illustrating routine 606 for 50 software is not updated 

computing a test strip ID for the meter 10. Routine 606 ^j^^ ^^j^^^ ^^^^^ ^^^^ .^^^^^^ 

begins followmg step 604 shown on FIG. 6. In step 702, the ^^^^^ ^^^^.^^ ^ ^^^^^^^ ^^^^^^ 

meter 10 reads the code number (i.e. lot number plus test .^^^^^^ ^^^^^ ^^^^^^ ^ ^^^^^^^ 

type ID) from the romkey. Step 702 is followed by step 704, ^ ^^^^ programming server loads new diagnostic 

m which the meter 10 convert this fo^ 55 program modules, new versions of diagnostic program 

to 16.bit binary value. Step 704 is foUowed by step 706, in ^^^^^^^^ ^^^^^ ^^^^^ ^^^^^^ ^^^^^^ 

which the meter 10 appbes a predetermined mathemaUcal sn^artcard. At some later point in step 814, the smartcard is 

operation to this 16-bit binary value. ^^^^^^ ^^^^ ^ ^^^^^ ^^^^^ ^t^p 

Step 706 is followed by step 708, in which the meter 10 followed by step 816, in which the new diagnostic program 

checks a value at a predetermined bit of the 16-bit binary 60 modules, new versions of diagnostic program modules, or 

value. Step 708 is followed by step 710, in which the meter updates for existing program modules stored on the smart- 

10 performs a conditional bit swap. That is, a first type of bit card are uploaded to the meter 10. Step 816 is followed by 

swap is performed if the value of the checked bit is a "1" and "END" step, 

a second type of bit swap is performed if the value of the . , . . 

checked bit is a "0." Step 710 is foUowed by step 712, in 65 DiagnosUc Analysis 

which the meter 10 converts the resulting number to a four FIG. 9 is a logic flow diagram iUustrating a routine 900 for 

digit decimal value. Step 712 is followed by step 714, in computing immediate diagnostic results in the meter 10, and 
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for remotely producing health reports. In step 902, the meter the "RETURN" step, which goes to routine 910 shown on 

10 prompts the user to select a romkey and insert a corre- FIG. 9. It will be appreciated that the preceding list of 

sponding test strip, with a blood sample, into the meter. Step diagnostic information is only illustrative of the type of 

902 is followed by step 904, in which the meter 10 prompts information that may be gathered, and that less data, differ- 
the user to select a desired diagnostic program module 5 ent data, or more data could be gathered, if desired, 

corresponding to the type of test strip inserted into the meter. piG. 11 is a logic flow diagram illustrating rouune 910 for 

Step 904 is foUowed by step 906, in which the meter 10 computing immediate cholesterol-related diagnostic results 

performs the test stnp venfication algorithm shown on FIG. for the meter 10. Routine 910 begins foUowing routine 908 

6 and, if the test strip is verified, obtains test results. shown on FIG. 9. In step 1102, the meter 10 prompts for and 

Step 906 is followed by routine 908, in which the meter 10 receives a selection of a diagnostic algorithm resident on the 

10 prompts the user for additional diagnostic information. meter. Step 1102 is followed by step 1104, in which the 

Routine 908 is described below with reference to FIG. 10. meter 10 gets total cholesterol test results from the test 

Routine 908 is followed by routine 910, in which the meter insUiiment module 158 or, if they are not available, prompts 

10 computes immediate diagnostic results. Routine 910 is the user to input the test results manually, 
described below with reference to FIG. 11. Routine 910 is 15 step 1104 is followed by step 1106, in which the meter 10 

followed by step 912, in which the meter 10 displays the calculates and displays a medical risk index associated with 

diagnostic results on the display device 34. Step 912 is heart disease or heart attack, such as "very high," "high," 

followed by step 914. m which the meter 10 stores the test "moderate," "low," or "very low." Step 1106 is followed by 

results, the diagnostic information, and the diagnostic results step 1108, in which the meter 10 calculates and displays a 
(and also stores the meter*s serial number) on the smartcard. 20 recommended weight loss, if appropriate. Step 1108 is 

At some later point, in step 916 the user reads the followed by step 1110, in which the meter 10 calculates and 

smartcard with a computer station. Step 916 is followed by displays a 5-year cardiac risk (e.g., risk of cardiac arrest in 

step 918, in which the computer station establishes a net- five years is 10%). Step 1110 is followed by step 1112, in 

work connection with the health report server 102. Step 918 which the meter 10 calculates and displays a 10-year cardiac 

is followed by step 920, in which the computer station risk (e.g., risk of cardiac arrest in ten years is 20%). 

downloads the data from the smartcard to the health report step m2 is foUowed by step 1114, in which the meter 10 

seiver 102. Step 920 is followed by routine 922, in which calculates and displays a cardiac age (to compare against the 

health report server 102 receives additional diagnostic and patient's chronological age). Step 1112 is followed by step 

health report infonmation from the user of the computer ux4, in which the meter 10 calculates and displays an 

station and compiles a personal health report based on the extended cardiac age (e.g., cardiac age compared to chro- 

data received from the computer station. Routine 922 is nological age for five, ten, fifteen, etc. years into the future), 

descnbed below with reference to HG. 12. Routine 922 is step 1116 is followed by step 1118, in which the meter 10 

followed by step 924, in which the health report server 102 calculates and displays a medical risk index associated with 

transmits the health report to the computer station, where the stroke, such as "very high," "high," "moderate," "low," or 

health report is printed and delivered to the patient. Step 924 "very low." Step 1118 is followed by the "RETURN" step, 

IS followed by the "END" step. ^hich goes to step 912 on FIG. 9. It will be appreciated that 

FIG. 10 is a logic flow diagram illustrating routine 908 for the preceding Ust of diagnostic results is only illustrative of 

obtaining cholesterol-related diagnostic information for the the type of information that may be generated, and that less 

meter 10. Routine 908 begins following step 906 shown on data, different data, or more data could be generated, if 

FIG. 9. In step 1002, the meter 10 prompts for and receives desired, 
the patient's gender. Step 1002 is foUowed by step 1004, in 

which the meter 10 prompts for and receives the patient^s Remote Health Report Generation 

ethnicity. Pj^ -,^2 is a logic flow diagram illusU-ating routine 922 for 

Step 1004 IS followed by step 1006, in which the meter 10 45 remotely producing health reports. Routine 922 begins fol- 

prompts for and receives an indication of the patient's lowing step 920 shown on FIG. 9. In step 1202, in which the 

family history of heart disease. Step 1006 is followed by step health report server 102 prompts for and receives a new drug 

1008, in which the meter 10 prompts for and receives an therapy, such as a cholesterol-lowering prescription. Step 

indication of the patient's personal history of heart disease. 1202 is followed by step 1204, in which the health report 

Step 1008 is followed by step 1010, in which the meter 10 50 server 102 gets a prescription data sheet for the drug therapy, 

prompts for and receives an indication of whether the patient This data sheet typically includes instructions for taking the 

is a type-1 diabetic. Step 1010 is followed by step 1012, in prescription, such as dosage, times to take each dose, 

which the meter 10 prompts for and receives an indication whether to take with food or liqiud, whether to avoid 

of whether the patient is a type-2 diabetic. Step 1012 is driving, pregnancy-related insUnictions, foods to avoid, and 
followed by step 1014, in which the meter 10 prompts for 55 so forth. 

and receives an indication of whether the patient is a smoker. Step 1204 is followed by step 1206, in which the health 

Step 1014 is followed by step 1016, in which the meter 10 report server 102 prompts for and receives information 

prompts for and receives an indication of the patient's regarding any other prescription drugs that the patient is 

height. Step 1016 is followed by step 1018, in which the currenUy taking. Step 1206 is followed by step 1208, in 
meter 10 prompts for and receives an indication of the 60 which the health report server 102 gets cross-reaction infor- 

patient's weight. Step 1018 is followed by step 1020, in mation regarding the new drug therapy and the other current 

which the meter 10 prompts for and receives an indication drug prescriptions. Step 1208 is followed by step 1210, in 

of the patient's age. Step 1020 is followed by step 1022, in which the health report server 102 prompts for and receives 

which the meter 10 prompts for and receives an indication a specific description of exercise therapy for the patient, or 
of the patient's blood pressure. Step 1022 is followed by step 65 a selection of standard exercise sections for inclusion in the 

1024, in which the meter 10 prompts for and receives an healtii report. Step 1210 is followed by step 1212, in which 

indication of the patient's fitness. Step 1024 is foUowed by the health report server 102 prompts for and receives diet 
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therapy for the patient, or a selection of a standard diet 
section for inclusion in the health report. Step 1212 is 
followed by step 1214, in which the health report server 102 
prompts for and receives indications of additional standard 
sections for inclusion in the health report. 5 

Step 1214 is foUowed by step 1216, in which the health 
report server 102 assembles the preceding information for 
inclusion in a health report. Step 1216 is followed by step 
1218, in which the health report server 102 prompts for and 
receives trend analysis selections. Step 1218 is followed by 
step 1220, in which the health report server 102 prepares the 
selected trend analysis, such as total cholesterol and blood 
glucose levels over a series of tests. The trend analysis may 
be provided alone or as part of the health report. Step 1220 
is followed by step 1222, in which the health report server 15 
102 assembles the preceding information into a health report 
and/or trend analysis report. Step 1222 is followed by the 
"RETURN" step, which goes to step 924 shown on FIG. 9. 
It will be appreciated that the preceding list of health report 
information is only illustrative of the type of information 
that may be compiled, and that less data, different data, or 
more data could be compiled, if desired. 

Smartcard PIN Security 

FIG. 13 is a logic flow diagram illustrating a routine 1300 
for saving medical data to the PIN-secured removable 
memory storage device 54, represented by a smartcard. In 
step 1302, a user places the smartcard in the meter 10. Step 
1302 is followed by step 1304, in which the meter 10 
prompts for and receives a PIN from the user. Step 1304 is 
followed by step 1306, in which the meter 10 reads the PIN 
field on the smartcard. Step 1306 is followed by step 1308, 
in which the meter 10 determines whether the PIN field is 
occupied (i.e., whether a PIN has been previously stored on 
the smartcard). 

If the PIN field is not occupied, the "NO" branch is 
followed from step 1308 to step 1310, in which the meter 10 
stores the PIN received from the user in the PIN field on the 
smartcard. Step 1310 is followed by step 1314, in which the 
meter 10 activates for use with the cunent smartcard. Step 
1314 is followed by the *'END" step. 

Referring again to step 1308, if the PIN field is occupied, 
the "YES" branch is followed to step 1312, in which the 
meter 10 determines whether the PIN received from the user 45 
matches the PIN stored in the PIN field on the smartcard. If 
the PIN received from the tiser matches the PIN stored in the 
PIN field on the smartcard, the "YES" branch is followed to 
step 1314, in which the meter 10 activates for use with the 
current smartcard. Step 1314 is followed by the "END" step. 50 

Referring again to step 1312, if the PIN received from the 
user does not match the PIN stored in the PIN field on the 
smartcard, the "NO" branch is followed to step 1314, in 
which the meter 10 determines whether a timeout condition 
or an allowed number of tries has been reached. If a timeout 55 
condition or an allowed number of tries has not been 
reached, the "NO" branch is followed to step 1318, in which 
the meter 10 displays an error and prompts the user to 
reenter the activation code. From step 1318, routine 1300 
loops to step 1312. If a timeout condition or an allowed 60 
number of tries has been reached, the "YES" branch is 
followed from step 1316 to the "END" step, and the meter 
10 is not activated for use with the instant smartcard. 

Secure Medical Records Maintenance System 

FIG. 14 is a functional block diagram of a system for 
using the meter 10 in connection with a secure medical 
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records maintenance system 1400. The meter 10 stores a 
patient's test results and diagnostic information on a remov- 
able memory storage device; such as the smartcard 54. A 
conventional interface 106 may then be used to interface the 
smartcard 54 with a conventional desktop, laptop or other 
type of computer 108, which in turn communicates with 
other computers over a network-based computer system, 
such as the Internet 110. As discussed previously, this 
Internet link may be used to produce a printed health report 
booklet 112 including a health assessment based on a 
patient's test results and diagnostic information, which a 
health-care provider typically provides to the patient. 

Although this secure medical records maintenance system 
1400 is specifically adapted for use with the meter 10, it may 
be used to store any type of electronic medical records, and 
is particularly convenient for storing a wide range of elec- 
tronic medical data generated remotely from the hospital or 
doctor's office environment. In addition, the secure medical 
records maintenance system 1400 may read medical data 
stored on memory storage devices other than the smartcard 
54, and may operate over computer networks other than the 
Internet 100. 

The secure medical records maintenance system 1400, 
which is presently known as the "PRIVALINK" system, 
operates in connection with a software module 1402 
installed on the accessing computer 108. This software is 
presently known as the "PRIVALINK" user site software. 
The server-side "PRIVAUNK" system 1400 includes a first 
remote server 1404 that stores patient identification 
information, a second remote server 1406 that stores patient 
medical data, an encryption/decryption module 1408 that 
implements encryption and other security- related functions, 
and a booklet generation module 1410, which produces 
printed heaUh report booklets 112 based on the infonnation 
stored in the servers 1404, 1406. The patient identification 
information and medical data arc maintained in separate, 
secure servers 1404, 1406 to prevent correlation of a specific 
patient's medical data with the associated patient identifi- 
cation information. 

Because the data on the servers 1404, 1406 is separate and 
secure from each other, access may be granted to either 
server without identifying any particular patient's medical 
data. For example, access may be granted to the first remote 
server 1404, but not to the second server 1406, for the 
purpose of generating a mailing list of patients without 
divulging any medical data associated with the patients. 
Similarly, access may be granted to the second remote server 
1406, but not to the first server 1404, for the purpose of 
conducting investigative analyses involving patient medical 
data without divulging any patient identification information 
associated with the medical data. 

For further data security and because each smartcard 54 
only has a limited data storage capability, the medical data 
stored on each smartcard may be automatically erased from 
the smartcard after the data is entered into the second remote 
server 1406. To obtain the medical data, the smartcard 54 is 
received within the meter 10, which stores the medical data 
on the smartcard. And to download the medical data to the 
medical records maintenance system 1400, the removable 
memory storage device is receivable within the interface 106 
for communication with the computer 108, which is oper- 
able for transmitting the medical data to the second remote 
server 1406 over the Internet 110. 

FIG. 15 is software architecture diagram illustrating a 
system for conducting secure communications between the 
computer 108 and the secure medical records maintenance 
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system 1400. The "PRIVAUNK" user site software 1402 
includes an encryption/decryption module 1412 that imple- 
ments encryption/decryption services on the client^omputer 
108. A corresponding encryption/decryption module 1408 
on the secure medical records maintenance system 1400 5 
implements complimentary encryption/decryption services 
on the server side, typically using a well-known encryption/ 
decryption package, such as that known as "BLOWFISH" or 
"DES." The server-side encryption/decryption module 1408 
also maintains access to a table of vaUd professional regis- 
tration numbers 1411, typically DEA numbers, received 
from the registering agency. This table is used to validate the 
professional registration numbers of practitioners attempting 
to access the secure medical records maintenance system 
1400. 

The server-side encryption/decryption module 1408 also 
maintains a record of all transactions with accessing com- 
puters for future analysis. In addition, all data transfers from 
the secure medical records maintenance system 1400 to the 
user site 108, such as health report booklets 112, are 
encrypted/decrypted through an Internet secure sockets 
layer connection 1500, which is well known to those skilled 
in the art. These encryption/decryption services prevent theft 
or inadvertent loss of patient medical data through unin- 
tended transmission or extraction of communications occur- 25 
ring on the Internet 110. 

The "PRIVAUNK" user site software 1402 also imple- 
ments client application, certification and login processes for 
accessing the secure medical records maintenance system 
1400. The application, certification and login process is 30 
described below with reference to FIGS. 17-19. Upon 
successful login to the secure medical records maintenance 
system 1400, the "PRIVALINK^' user site software 1402 
implements a menu -driven user interface system 1414 for 
conducting commimications between the practitioner com- 35 
puter 108 and the secure medical records maintenance 
system 1400. This interface system includes a health care 
provider data entry screen 2100 shown in FIG. 21, a patient 
address data entry screen 2500 shown in FIG. 25, a patient 
test data entry screen 2600 shown in FIG. 26, a booklet 40 
selection screen 2700 shown in FIG. 27, and a booklet 
preview/printing screen 2800. The menu-driven user inter- 
face system 1412 also includes other related user interface 
screens. The operation of the menu -driven user interface 
system 1412 is described below with reference to FIG. 17. 45 

FIG. 16 a functional block diagram illustrating security 
aspects of the secure medical records maintenance system 
1400. The secure medical records maintenance system 1400 
preferably includes a large number of smartcards 54a-«, 
which operate in concert with a large number of meters 50 
lOa-n. Although each smartcard S4a-n is preferably used to 
store medical data for an associated patient, each card could 
be used to store medical data for multiple patients. Each 
smartcard 54 also stores a patient-specified personal identi- 
fication number (PIN), and may stone PINs for multiple 55 
patients if the smartcard is configured to store medical data 
for multiple patients. Each PIN is used to gain access to a 
secure storage area on the smartcard 54, which stores an 
associated patient identification number and medical records 
identification number, which are assigned by the secure go 
medical records maintenance system 1400. 

The first remote server 1404 of the secure medical records 
maintenance system 1400 stores patient identification infor- 
mation indexed by patient identification numbers, and the 
second remote server 1406 stores patient medical data 65 
indexed by the medical records identification numbers. 
Typically, each patient identification number and medical 
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identification number is a unique nimiber assigned by the 
operator of the secure medical records maintenance system 
1400 upon entry of each patient into the system. For 
example, the patient identification numbers and medical 
identification numbers may be social security nimibers or 
sequential registration numbers. Alternatively, the patient 
identification numbers and medical identification numbers 
may be imique numbers computed by a non-repeating 
pseudo-random number generator. The patient identification 
number and the medical records identification number may 
be 16-bit hexadecimal or another suitable value. In addition, 
either or both of the patient identification number and the 
medical records identification number may be a global user 
identification number (GUID), which is a secure communi- 
cation key generated by weU-known secure encryption 
systems, such as currently available private -key and public- 
key encryption systems including "BLOWFISH," "DES" 
and others. Many other schemes for assigning unique patient 
identification numbers will become evident to those skilled 
in the art. 

For security purposes, the medical data maintained in the 
second remote server 1406 cannot be correlated to the 
associated patient identification information maintained in 
the first remote server 1408 based on the information 
contained in the first and second remote servers. To allow 
correlation of the data stored in the two servers 1404, 1406 
the secure medical records maintenance system 1400 
includes a correlation table 1600 uniquely associating each 
medical records identification number with a particular one 
of the patient identification numbers. The correlation table 
1600 for a particular patient typically resides in the PIN- 
secured storage area on the patient's smartcard 54. The 
correlation table 1600 for a practitioner's patients may also 
reside on the practitioner's computer 108, such as a doctor's 
or pharmacist's computer, that is associated with a licensed 
medical practitioner having an assigned professional regis- 
tration number (DEA number). Each practitioner's correla- 
tion table 1600 is preferably encrypted and maintained in a 
secure file. The proprietor of the secure medical records 
maintenance system 1400 may also maintain a complete 
back-up correlation table 1600, typically in a secure 
encrypted file located on a separate file server. 

For further security, the first and second remote servers 
1404, 1406 are accessed by the practitioners' computers 
108a-« through encrypted communications secured by an 
application procedure that includes validation of the practi- 
tioner's registration number (DEA number). This access will 
be limited to medical records and patient identification 
information associated with the accessing practitioner. In 
other words, each practitioner will only have access to his or 
her patients' medical records and patient identification infor- 
mation. 

Similar access procedure may be implemented for indi- 
vidual patients, except that access will be limited to that 
particular patient's medical records and patient identifica- 
tion information. For example, individual patients may 
register in advance with the proprietor of the system 1400, 
which will issue each patient a unique registration number. 
In this case, the first and second remote servers 1404, 1406 
may accessed by computers operated by the individual 
patients through encrypted communications secured by an 
application procedure that includes validation of the 
patient's registration number. 

For both practitioners and individual patients, the appU- 
cation procediue may be further secured by receipt and 
validation of a client-supplied PIN. Moreover, the applica- 
tion procedure typically includes issuance of a client cer- 
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tificate insuring that access to the first and second remote analysis by the server-side encryptioo/decrj^tion module 
servers occurs from the client computer that initiated the 1408. The client application request is typically received by 
application and ccftification process. an Internet link to a specified web page associated with the 
Those skilled in the art will appreciate that the data server-side encryption/decryption module 1408, The medi- 
distributioD system implemented by the secure medical s cal practitioner can obtain the proper Internet address by 
records maintenance system 1400 includes many aspects of placing a telephone call to the operator of the system 1400. 
data security. For example, a patient's medical records The phone number, and possibly the Internet address, will be 
identification number cannot be obtained from the patient's printed on each meter 10 and may also be available through 
smartcard 54 without access to the patient- assigned PIN. In other forms of notification, such as advertisement and direct- 
addition, while the patient's medical data is indexed by the mail notification to licensed practitioners (e.g., physicians 
patient's medical records identification number in the sec- pharmacists). 

ond server 1406, the patient's name and other identification Step 1802 is followed by step 1804, in which the 

information cannot be retrieved from the first server 1404 PRIVALINK software 1402 displays an application screen 

using this data. Similarly, a hacker obtaining assess to one or receives client input including the practitioner's profes- 

both of the servers 1404, 1406 cannot correlate patient ^^^"^^ registration number, typically a DEA number. Step 

identification information with patient medical data. In ^^P^ followed by step 1806, in which the PRIVALINK 

addition, the correlation data for the entire secure medical receives a certification request including 

records maintenance system 1400 is distributed among the t° ^^^.^P^^? ^^P"' f typically associated 

various smartcards 54a-n and practitioner computers I^^l^^Z^^i^Wt^n f '^'^T t i / 1f^'?«n^ 

-ino - * J f * T-u u 1 screen and selection of a submit control item. Step 1806 

lOHa-n repstered for use with the system. Thus a hacker ^ ^jj^^^j ^ ^^^^ ^^^^ PRIVALINK soft- 

cannot obtain the correlation data for any smgle paUent, 1402 downloads an encryption program module from 

much less the entire database, through access to the the server-side encryption/decryption module 1408, such as 

centrally-mamtained data servers 1404, 1406. ^n "ACTIVE X^' control or applet, to the cHent's computer 

For further security, the secure medical records mainte- 108. This encryption program module typically includes a 

nance system 1400 cannot be accessed from the a medical 25 "key" or nugget of information to be stored in the accessing 

practitioner's computer 108 without knowledge of the browser. The server-side encryption/decryption module 

proper practitioner-assigned PIN. And all communication 1408 can later check an accessing computer for the presence 

between the practitioner's computer 108 and the secure of the "key" to ensure that the accessing computer and 

medical records maintenance system 1400 are encrypted for browser is the same as the one going through the application 

transmission security. Furthermore, each correlation table 30 procedure. 

1600, which provides the link between patient identification Step 1808 is followed by step 1810, in which the server- 
numbers and medical records identification numbers for a side encryption/decryption module 1408 vaMdates the reg- 
particular practitioner, may itself be encrypted, with the key istration number (e.g., DEA number) entered by the 
to this encryption stored in a separate location. For example, applicant, typically by comparing the received registration 
this encryption key may be a practitioner PIN or GUID 35 number to the table of valid registration numbers 1411 
stored on a PIN-secured area the practitioner's computer 108 received from the registration authority (e.g., table of valid 
or on a smartcard 54 assigned to the practitioner. DEA numbers). If the registration number is properly 
FIG. 17 is a logic flow diagram illustrating an illustrative validated, step 1810 is followed by step 1812, in which the 
process 1700 for communicating with the secure medical server-side encryption/decryption module 1408 transmits an 
records maintenance system 1400. In routine 1702, a mcdi- 40 email message to the PRIVALINK software 1402 including 
cal practitioner conducts a client application procedure to a URL for accessing the secure servers 1404, 1406. Step 
obtain a secure client certificate, which is also known as a 1812 is followed by step 1814, in which the PRIVALINK 
"CA" or certificate-authentication. Routine 1702 is software 1402 transmits a client link to the designated URL. 
described in greater detail with reference to FIG. 18. Routine Upon receipt of the link, the server-side encryption/ 
1702 is followed by a client login procedure 1704, which is 45 decryption module 1408 checks for the presence of the 
described in greater detail with reference to FIG. 19. These "key" to ensure that the accessing computer and browser is 
procedures ensure that access to the secure medical records the same as the one that went through the application 
maintenance system 1400 is limited to registered medical procedure. 

practitioners using the same computer and browser that the If the "key" is properly validated, step 1814 is followed 

practitioner used to obtain a secure client certificate through 50 by step 1816, in which the server-side encryption/decryption 

the application procedure. That is, any attempt to access the module 1408 transmits a "server root CA" and a "client 

secure medical records maintenance system 1400 by a certificate" to the PRIVALINK software 1402 on the cHent's 

person without a valid DEAnumber, or from a non-certified computer 108. Step 1816 is followed by step 1818, in which 

computer or browser, will be rejected. As noted previously, the PRIVALINK software 1402 links the appUcant to a 

similar procedures may be implemented for allowing indi- ss secure area of the encryption/decryption module 1408, 

viduaol patients to access their records on the secure medical which validates the presence of the server root CA. If the 

records maintenance system 1400. server root CA is properly vaUdated, step 1818 is followed 

FIG. 18 is a logic flow diagram illustrating routine 1702 by step 1820, in which the PRIVALINK software 1402 

used by a medical practitioner to apply for access to the prompts the user to identify the client certificate for use in 

secure medical records maintenance system 1400. Routine 60 the transaction. If the client certificate is properly vaKdated, 

1702 begins at the start of FIG. 17, In step. 1802, the step 1820 is followed by step 1822, in which the 

client-side PRIVALINK software 1402 issues a client appli- PRIVALINK software 1402 links the applicant to a login 

cation request to the server-side encryption/decryption mod- screen. Step 1822 is followed by step 1824, in which the 

ule 1408, which initiates a transaction document record for encryption/decryption module 1408 saves the transaction 

the communication. That is, all communications between the 65 documentation for the client's application procedure. Step 

client-side PRIVALINK software 1402 and the server-side 1824 is followed by the "CONTINUE" step, which returns 

encryption/decryption module 1408 are recorded for future to routine 1704 shown in FIG. 7. 
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FIG. 19 is a logic flow diagram illiistrating a routine 1704 
for logging into the secure medical records maintenance 
system 1400. Routine 1704 begins following routine 1702 
shown in FIG. 7. In step 1902, the PRIVALINK software 
1402 displays a login screen on the client's computer 108. 
Step 1902 is followed by step 1904, in which the 
PRIVALINX software 1402 loads the client's registration 
number, which was obtained during the application proce- 
dure described with reference to FIG. 18, into the login 



ing user interface screens. As noted above, the interface 
2100 initially appears in a "default" mode with the "address" 
tab 2106 seleaed. 

For example, step 1710 may be followed by step 1712, in 
which the PRIVALINK software 1402 displays a "bilhng 
info" user interface in response to user selection of the 
"billing info" tab 2108. FIG. 22 is an illustration of a typical 
"billing information" user interface 2108. The interface 
2100 includes a number of fields 2202 for entering payment 
screen. That is, an accessing client does not have an cppor- 10 authorization, such as a bank credit or debit card number, 
tunity to enter the login procedure without having first The interface 2100 may include other types of payment 
havmg gone through the application procedure described options, such as a bank account number for wire transfers, 
with reference to FIG. 18, which requires the appUcant to authorization to include the charges on a telephone bill or 
provide a vaHd registration number, which typicaUy may be Internet service provider bill associated with the Internet 
a DEA number for a licensed medical practitioner or a 15 Unk to the server-based system 1400, reference to an autho- 
registration number issued by the proprietor of the secure rfzed account for bilUng at a later date, and the like. 



medical records maintenance system 1400 for an individual 
patient. 

Step 1904 is followed by step 1906, in which the 
PRIVALINK software 1402 receives the practitioner's per- 
sonal identification number (PIN). Step 1906 is followed by 
step 1908, in which the encryption/decryption module 1408 
validates the practitioner's personal identification number 
(PIN) for use with the received professional registration 



Similarly, step 1712 may be followed by step 1714, in 
which the PRIVALINK software 1402 displays a "cover 
letter" user interface 2300 in response to user selection of the 
"cover letter" tab 2110. FIG. 23 is an illustration of a typical 
"cover letter" user interface 2300. This interface allows the 
practitioner to author a cover letter that will be included with 
a health report booklet to be produced by the booklet 
generation module 1410 on the server-based system 1400, as 



number. Step 1908 is foUowed by step 1910, in which the 25 described previously with reference to FIG. 9. This allows 
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encryption/decryption module 1408 determines whether the 
received PIN is a new PIN for use in connection with the 
received professional registration number. If the received 
PIN is a new PIN for use in connection with the received 
professional registration number, the "YES" branch is fol- 
lowed from step 1910 to step 1912, in which the 
PRIVALINK software 1402 prompts the user to complete 
the interface screens 2000-2007 (FIGS. 20-27). Step 1912 
and the "NO" branch from step 1910 are folio wed by step 
1914, in which the client is linked to the interface screens 
2000-2007 (FIGS. 20-27). Step 1914 is followed by "CON- 
TINUE" step, which returns to step 1706 shown on FIG. 7. 

User Interface Design 



the practitioner to customize the cover letter for each health 
report booklet produced by the system. 

To further illustrate the operation of the user interface, it 
is assumed that the practitioner next selects the "patients" 
selection item 2004 on the "switchboard" user interface 
2000. Thus, step 1714 is followed by step 1716, in which the 
PRIVALINK software 1402 displays a "patients" user inter- 
face 2400. FIG. 24 is an illustration of a typical "patient 
selection" user interface 2400. This user interface allows the 
practitioner to select a preexisting patient and to enter new 
patients. Upon entry of a new patient, the PRIVALINK 
software 1402 typically assigns a unique patient identifica- 
tion number and a unique medical records identification 
Referring again to FIG. 17, once the medical practitioner 40 ^^^^ber to the patieiit, which the user site "PRIVALINK' 



software 1402 stores in a conelation table 1600, as described 
previously with reference to FIG. 16. 

Step 1716 is followed by step 1718, in which the 
PRIVALINK software 1402 displays a "patient information" 



has successfully logged into the secure medical records 
maintenance system 1400, routine 1704 is followed by step 
1706, in which the PRIVALINK software 1402 displays a 
"switchboard" user interface 2000. FIG. 20 is an illustration 

of a typical "switchboard" user interface 2000, which 45 user interface 2500. FIG. 25 is an illustration of a typical 
includes a number of selection items corresponding to "patient information" user interface 2500. This interface 
functions available on the server. For example, the interface includes a number of fields for entering patient identification 
2000 typically includes a "provider" selection item 2002 and information, such as address, phone number, and so forth. As 
a "patients" selection item 2004. To illustrate the operation described previously with reference to FIG. 16, this patient 
of the user interface it is assumed that the practitioner 50 identification information is typically indexed by the patient 
initially selects the "provider" selection item 2002. Thus, identification number and stored in the first server 1404, 



step 1706 is followed by step 1708, in which the 
PRIVALINK software 1402 receives a "provider" selection 
from the "switchboard" user interface 2000, 

Step 1708 is followed by step 1710, in which the 
PRIVALINK software 1402 displays an "address" user 
interface 2100. FIG. 21 is an illustration of a typical 
"address" user interface 2100. The interface 2100 includes a 
first field 2102 for entering a practitioner registration 



whereas the patient's medical data is typically indexed by 
the patient's medical records identification number and 
stored in the second server 1406. 
55 Step 1718 is followed by step 1720, in which the 
PRIVALINK software 1402 displays a "questionnaire data" 
user interface 2600. FIG. 26 is an illustration of a typical 
"questionnaire data" user interface 2600. This interface 
includes a number of fields for entering patient diagnostic 



number, typically a DEA number, and a second field 2104 60 information, such as family history, age, weight, body fat, 

for entering a practitioner-assigned PIN. The mterface 2100 and so forth. This interface may be used to enter patient 

also includes a ntunbcr of other fields for entering the diagnostic information in addition to that received through 

practitioner's contact information, such as address, phone the meter 10. For example, the interface 2600 may be used 

number, and so forth. The interface 2100 also includes an to enter diagnostic data that the meter would have recorded, 

"address" tab 2106, a "biUing info" tab 2108, and a "cover 65 but the patient failed to enter the data into the meter 10. In 

letter" tab 2110 displayed adjacent to the user interface addition, the interface 2600 may be automatically filled in, 

2100. These tabs allow the user to toggle among correspond- either partially or completely, with the appropriate data 
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Stored on a corresponding smaricard 54. This step may 
require entry of an appropriate patient PIN for the corre- 
sponding smaricard 54 into the interface 2600. The interface 
2600 may also be used to change or supplement the data read 
from the smartcard 54, or enter additional diagnostic infor- $ 
mation that the meter 10 is not configured to collect from the 
patient. 

Step 1720 is followed by step 1722, in which the 
PRIVAUNK software 1402 displays a "generate reports" 
user interface 2700. FIG. 27 is an illustration of a typical iq 
"generate reports" user interface 2700. This interface 
includes a number of fields for selecting items to be included 
in a patient's health report booklet, such as cover letter, 
summary, evaluation, and so forth. The interface includes a 
number of fields for selecting therapy items to be prescribed 15 
for the patient and reflected in the patient's health report 
booklet, such as lifestyle therapy, lipid drug prescription, 
blood pressure drug prescription, and so forth. 

FIG. 28 is an illustration of typical health report charts 
generated by the secure medical records maintenance system 20 
1400 for inclusion in a patient's health report booklet. These 
charts include a "coronary risk factors" chart 2802, a "per- 
sonal health consequences" chart 2804, and an "extended 
health assessment" chart 2806. The "coronary risk factors" 
chart 2802 includes test results and diagnostic information 25 
along with ideal ranges and patient goals for these items. The 
"personal health consequences" chart 2804 includes inter- 
pretive data, such as pounds overweight, cardiac age, and 
stroke risk. The "extended health assessment" chart 2806 
includes a projection of future interpretive data, such as a 30 
projected comparison of the patient's chronological age and 
cardiac age. 

FIG. 29 is an illustration of an additional health assess- 
ment chart 2900 generated by the secure medical records 
maintenance system 1400 for inclusion in a patient's health 35 
report booklet. This chart includes a pictorial representation 
of cardiac risk factors, such as gender, smoker, personal 
history, and so forth. The health assessment chart 2900 
typically presents a pictorial assessment of the "coronary 
risk factors" shown in chart 2802. 40 

Smartcard Payment System 

The system described above is largely dependent on the 
sale of proprietary test strips 28 for the collection of revenue 
from end users. That is, the meter 10 may be made available 45 
to individual patients at little or no cost, with the sale of 
proprietary test strips 28 providing a major source of rev- 
enue for the proprietor of the health monitoring meter. This 
may be a desirable business model for deploying the meters 
10 because it minimizes the initial cost that an individual 50 
patient must pay to begin using the device. Having to sell 
each meter 10 at its full cost, on the other hand, would 
undermine the economic feasibility of using the meter in 
many contexts. 

Nevertheless, it may also be desirable to provide a meter 55 
10 that does not rely on the sale of proprietary test strips 28 
as a major source of revenue. For example, the meter may 
be adapted to read non-proprietary test strips, or may incor- 
porate a reusable and/or non-invasive testing device, such as 
an electrode, blood pressure monitoring device, sonic testing 60 
device, thermometer, saliva testing device, optical testing 
device, and the like. Of course, a non-invasive multi-use 
testing device may be used many times without affording the 
proprietor of the health monitoring device an opportunity 
collect revenue associated with use of the device. ss 

To solve this problem, the smartcard 54 may be utilized as 
a type of "debit card" for use with the meter 10. That is, the 
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smartcard 54 device may be purchased with a monetary 
value, or it may have a monetary value that is replenishable 
over the Internet using a bank credit or debit card or other 
conventional payment source. The meter 10 may then deduct 
the cost of performing particular services (e.g., blood cho- 
lesterol test, health assessment, blood sugar test, AIDS test, 
etc.) from the monetary value represented by the monetary 
balance stored on the smartcard 54. In other words, the meter 
10 may be configured to activate for the performance of a 
variety of services upon deducting a charge for the selected 
service from a monetary value stored on a smartcard 54 
inserted into the device. 

FIG. 30 is a logic flow diagram illustrating a routine 3000 
for adding a monetary value to a smartcard 54 for \ise with 
the meter 10. Although single use smartcard could be sold 
with a monetary value for use with the meter 10, the cost of 
the smartcards makes a replenishable debit card system 
preferable. In step 3002, the proprietor of the system loads 
an fllustrative smartcard 54 with debit card software and a 
zero balance. Step 3002 is followed by step 3004, in which 
the smartcard 54 is issued for use with the meter 10. For 
example, the smartcard 54 may be sold or given away 
separately or in connection with a meter 10. lypically, the 
proprietor of the system will be motivated to make both the 
meter 10 and the smartcard 54 available for little or no 
acquisition cost because the cost of these assets will be 
recovered through use of the debit-card type smartcard 54 
with meter 10. 

Step 3004 is followed by step 3006, in which the user 
establishes a PIN and activates the smartcard 54, which can 
be performed using the meter 10 or a conventional computer 
108 having a smartcard interface 106, as shown in FIG. 2. 
Step 3006 is followed by step 3008, in which the user loads 
the smartcard 54 into a conventional computer 108 having a 
smartcard interface 106 (if the smartcard in not already 
loaded) and accesses a predefined debit card Internet site by 
linking to an associated URL, which may be printed on the 
smartcard or made available through advertisement, direct 
mail, or other communication media. The debit card Internet 
site may typically be a separate server operated by the 
proprietor of the secure medical records maintenance system 
1400, or it may be another site operated by a separate 
proprietor. Step 3008 is followed by step 3010, in which the 
debit card Internet site establishes communications with the 
smartcard 54 and verifies the authenticity of the smartcard. 

Step 3010 is followed by step 3012, in which the debit 
card Internet site prompts the user for input payment autho- 
rization for a monetary value to be added to the smartcard. 
The debit card Internet site may accept a variety of payment 
options, such as a bank credit or debit card number, a bank 
account number for wire transfers, authorization to include 
the charges od a telephone biU or Internet service provider 
bill associated with the Interact link, and the like. Step 3012 
is followed by step 3014, in which the debit card Internet site 
validates the received payment authorization. Step 3014 is 
followed by step 3016, in which the debit card Internet site 
determines whether the received authorized payment source 
has a sufficient balance or credit limit for the monetary value 
that the user has requested for addition to the smartcard 54. 

If the authorized payment source has a sufficient balance 
or credit limit, the "YES" branch is followed to step 3018, 
in which the debit card Internet site adds the requested 
monetary value to the smartcard 54 and charges the cost to 
the authorized payment source. OptionaUy, the debit card 
Internet site may also load a rate schedule for services to be 
provided by the meter 10 onto the smartcard 54. In this case, 
the meter 10 reads the monetary value assigned to perfor- 
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mance of the test from the smartcard 54. Thus, rate sched- 
ules for various services to be performed by the meter 10 
may be changed from time to time, based on quantity 
discounts or other considerations. Step 3020 is followed by 
the "END" step, which concludes routine 3000. 

Referring again to step 3016, if the payment source is 
invalid or does not have a sufficient balance or credit limit, 
the "NO" branch is followed to step 3017, in which the user 
is prompted for another payment source. If the user enters 
another payment source, the "YES'' branch loops to step 
3014 for validation of the alternate payment source. If the 
user does not enter another payment source, the "NO" 
branch is followed by the "END" step, which concludes 
routine 3000. 

FIG. 31 is a logic flow diagram illustrating a routine 3100 
for using a smartcard 54 to pay for a service provided by the 
meter 10. In step 3102, a user obtains a smartcard 54 with 
a usable monetary value, typically by purchasing a smart- 
card having a usable monetary value or by adding a mon- 
etary value to a smartcard as described with reference to 
FIG. 30. Step 3102 is followed by step 3104, in which the 
meter 10 receives a request to provide a service, such as a 
blood cholesterol test and/or production of a health report, 
with the associated cost to be charged against a monetary 
value stored on the smartcard 54. Step 3104 is followed by 
step 3106, in which the meter 10 prompts the user to enter 
a smartcard 54 with a usable monetary value into the meter. 
Step 3106 is followed by step 3108, in which the meter 10 
receives the smartcard 54 in the reader 50. It should be 
understood that at this point the meter is inactive for 
performing services that require payment. Note also that the 
meter 10 may be activated alternatively through proprietary 
test strip validation, as described with reference to FIG. 6. 

Step 3110 is followed by step 3112, in which the meter 10 
prompts the user for a PIN for use with the smartcard 54 and 
validates the PIN (i.e., checks the received PIN against the 
PIN stored on the smartcard). If the PIN is validated, step 
3112 is followed by step 3114, in which the meter 10 
determines whether the monetary value stored on the smart- 
card 54 is sufficient to pay for the requested service. As 
noted previously, the meter 10 may also read the rate 
schedule from the smartcard 54. Alternatively, if no rate 
schedule is present on the smartcard 54, the meter 10 may 
use a predefined "default" rate schedule for the requested 
service. 

If the monetary value stored on the smartcard 54 is 
sufficient to pay for the requested service, the "YES" branch 
is followed to step 3116, in which the meter 10 deducts the 
cost for the requested service from the monetary value 
stored on the smartcard 54. That is, the meter 10 computes 
a revised monetary balance equal to the initial monetary 
value stored on the smartcard less the cost for the requested 
service, and replaces the initial monetary value stored on the 
smartcard with the revised monetary balance. Step 3116 is 
followed by step 3118, in which the meter 10 activates for 
performance of the requested service. Step 3118 is followed 
by step 3120, in which the meter 10 completes the requested 
service and returns to the inactive state. Referring again to 
step 3114, if the monetary value stored on the smartcard 54 
is insufficient to pay for the requested service, the "NO" 
branch is followed to step 3122, in which the meter displays 
a "balance insufficient" message. Steps 3120 and 3122 arc 
followed by the "END" step, which concludes routine 3100. 

The present invention thus provides a health monitoring 
and diagnostic device (LEFESTREAM cholesterol meter) 
that works in connection with a network-based comprehen- 
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sive health analysis and reporting system. The invention also 
provides a secure medical records maintenance system that 
works in conjunction with the health monitoring and diag- 
nostic device, and alternative business models for deploying 
the health monitoring and diagnostic devices. It should be 
understood that the foregoing pertains only to the preferred 
embodiments of the present invention, and that numerous 
changes may be made to the embodiments described herein 
without departing firom the spirit and scope of the invention. 
The invention claimed is: 

1. A hand-held health monitoring device, comprising: 
an enclosure for housing a disposable test strip for use 

with the health monitoring device; 

a holder for removably supporting a device for gathering 
a sample of biological fluid or tissue; 

a test strip reader operable for reading the test strip 
carrying the sample of biological fluid or tissue and 
obtaining test results based on the sample of biological 
tissue or fluid and calibration data specific to the test 
strip; 

a memory reading device functionally connected to the 
test strip reader and operable for reading the calibration 
data from a memory device; 

a user input device operable for receiving user input 
commands; 

a display device operable for displaying information; 
a processor functionally connected to the test strip reader, 
the user input device; and the display device, the 
processor containing a program module operable for 
obtaining the test results from the test strip reader and 
causing the display device to display the test results, 
and a diagnostic program module operable for: 
obtaining the test results from the test strip reader, 
causing the display device to prompt the user to enter 

diagnostic information using the user input device, 
performing a diagnostic analysis to produce diagnostic 

results including a cardiac age based on the test 

results and the diagnostic information, and 
causing the display device to display the diagnostic 

results; and 

a data drive functionally connected to the processor and 
operable for writing the lest results to a removable 
memory storage device. 

2. The health monitoring device of claim 1, wherein the 
processor is further operable for: 

determining whether a personal identification number has 
been previously stored on the removable memory stor- 
age device; 

if the personal identification nimiber has not been previ- 
ously stored on the removable memory storage device 
prompting the user to enter a personal identification 
number, storing the received personal identification 
number on the removable memory storage device; and 

if the personal identification number has been previously 
stored on the removable memory storage device, 
prompting the user to enter a personal identification 
number, comparing the stored personal identification 
number to the received personal identification number, 
and writing the test results to the removable memory 
storage device only if the stored personal identification 
number corresponds to the received personal identifi- 
cation number. 

3. The hand-held health monitoring device of claim 1, 
further comprising: 

a clam-shell case openable to reveal first and second 
compartments; 
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the first compartment containing the enclosure for hous- 
ing the disposable test strip and the holder for remov- 
ably supporting the biological fluid or tissue gathering 
device; and 

the second compartment containing the test strip reader, 5 
the memory reading device, the display device, the 
processor, and the data drive. 

4. The hand-held health monitoring device of claim 1, 
wherein: 

the biological fluid or tissue includes a droplet of human jq 
blood; and 

the test results include total cholesterol levels. 

5. The hand-held health monitoring device of claim 4, 
wherein the test strip reader is operable for reading a second 
type of test strip carrying a second sample of biological flmd ^5 
or tissue and obtaining health-related test results based on 
the second sample of biological tissue or fluid and calibra- 
tion data specific to the second type of test strip, further 
comprising: 

a second memory reading device functionally connected 20 
to the test strip reader and operable for reading cali- 
bration data from a second memory device correspond- 
ing to the second type of test strip. 

6. The hand -held health monitoring device of claim 5, 
wherein: 25 

the second biological fluid or tissue includes a droplet of 

human blood; and 
the test results include blood glucose levels. 

7. A health monitoring device, comprising: 

a test strip reader operable for reading the test strip ^0 
carrying a sample of biological fluid or tissue and 
obtaining health-related test results based on the sample 
of biological tissue or fluid and calibration data specific 
to the test strip; 

a memory reading device functionally connected to the 
test strip reader and operable for reading the calibration 
data from a memory device; 

a user input device operational for receiving user input 
commands; 

a display device operable for displaying information; and 
a processor functionally connected to the test strip reader, 
the user input device, and the display device, the 
processor containing a diagnostic program module 
operable for: 

obtaining the test results from the test strip reader, 
causing the display device to prompt the user to enter 

diagnostic information using the user input device, 
performing a diagnostic analysis to produce diagnostic 

results including a cardiac age based on the test 

results and the diagnostic information, and 
causing the display device to display the diagnostic 

results. 

8. The health monitoring device of claim 7, wherein: 

the biological fluid or tissue includes a droplet of human 55 
blood; 

the test results include blood lipid levels; 
the diagnostic information includes one or more of the 
following data items conresponding to a person provid- 
ing the droplet of human blood: 60 
gender, ethnicity, family history of heart disease, per- 
sonal history of heart disease, personal history of 
diabetes, personal history of smoking, height, 
weight, age, blood pressure, fitness level; and 
the diagnostic results further include one or more of the 65 
following data items corresponding to the person pro- 
viding the droplet of human blood: 
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a medical risk index, a recommended weight loss, a 
five-year risk of heart attack, a ten-year risk of heart 
attack, an extended cardiac age, and a risk of stroke. 

9. The heaUh monitoring device of claim 8, further 
comprising a data drive function aUy coimected to the pro- 
cessor and operable for writing the test results, the diagnos- 
tic information, and the diagnostic results to a removable 
memory storage device. 

10. The health monitoring device of claim 9, wherein the 
processor is further operable for: 

determining whether a personal identification number has 
been previously stored on the removable memory stor- 
age device; 

if the personal identification nimiber has not been previ- 
ously stored on the removable memory storage device 
prompting the user to enter a personal identification 
number, storing the received personal identification 
number on the removable memory storage device; and 
if the personal identification number has been previously 
stored on the removable memory storage device, 
prompting the user to enter a personal identification 
number, comparing the stored personal identification 
number to the received personal identification number, 
and writing the test results, the diagnostic information, 
and the diagnostic results to the removable memory 
storage device only if the stored personal identification 
number corresponds to the received personal identifi- 
cation number. 
U, The health monitoring device of claim 10, wherein the 
test strip reader is operable for reading a second type of test 
strip carrying a second sample of biological fluid or tissue 
and obtaining health-related test results based on the second 
sample of biological tissue or fluid and calibration data 
specific to the second type of test strip, further comprising: 
a second memory reading device functionally cormected 
to the test strip reader and operable for reading cali- 
bration data from a second memory device correspond- 
ing to the second type of test strip. 

12. The health monitoring device of claim 11, wherein: 
the second biological fluid or tissue includes a droplet of 

human blood; and 
the test results include blood glucose levels. 

13. A health monitoring device for use with a disposable 
test strip, comprising: 

a test strip reader operable for reading the test strip 
carrying a sample of biological fluid or tissue to obtain 
test results based on the sample of biological tissue or 
fluid and calibration data specific to the test strip; 

a memory device readable by the health monitoring 
device and storing a code number and the calibration 
data specific to the test strip; 

a user input device operable for entering a test strip 
Identification number into the health monitoring 
device; and 

a processor functionaUy connected to the test strip reader, 
the memory device, and the user input device, the 
processor operable for: 

reading the code number from the memory device, 

mathematically deriving a test strip identification num- 
ber corresponding to the code number, 

comparing the received test strip identification number 
to the derived test strip identification number, and 

activating the health monitoring device for use with the 
test strip only if the received test strip identification 
number corresponds to the derived test strip identi- 
fication number. 
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14. The health monitoring device of claim 13, wherein: 
the health monitoring device also includes a dock defin- 
ing a current date; " 

the memory device also stores an expiration date for the 
test strip; 

the processor is operative to read the expiration date and 
the current date; and 

the processor is operative to activate the health monitor- 
ing device for use with the test strip only if the 
expiration date is prior to the current date. 

15. Tlie health monitoring device of claim 14, wherein the 
processor is further operative for: 

receiving an activation code through the user input 
device; 

computing an activation code based on the current date 
and instructions contained in an activation routine 
stored within the health monitoring device; and 

activating the health monitoring device only if the com- 
puted activation code corresponds to the received acti- 
vation code. 

16. The health monitoring device of claim 14, wherein the 
processor is further operable for: 

obtaining the test results from the test strip reader, 
causing the display device to prompt the user to enter 

diagnostic information using the user input device, 
performing a diagnostic analysis to produce diagnostic 

results based on the test results and the diagnostic 

information; and 
causing the display device to display the diagnostic 

results. 

17. The health monitoring device of claim 16, wherein; 
the biological fluid or tissue includes a droplet of human 

blood; 

the test results include blood lipid levels; 
the diagnostic information includes one or more of the 
following data items corresponding to a person provid- 
ing the droplet of human blood: 
gender, ethnicity, family history of heart disease, per- 
sonal history of heart disease, personal history of 
diabetes, personal history of smoking, height, 
weight, age, blood pressure, fitness level; and 
the diagnostic results include one or more of the following 
data items corresponding to the person providing the 
droplet of human blood: 
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a medical risk index, a recommended weight loss, a 
five-year risk of heart attack, a ten-year risk of heart 
attack, a cardiac age, an extended cardiac age, and a 
risk of stroke. 

18. The health monitoring device of claim 17, further 
comprising a data drive functionally connected to the pro- 
cessor and operable for writing the test results, the diagnos- 
tic information, and the diagnostic results to a removable 
memory storage device. 

19. The health monitoring device of claim 18, wherein the 
processor is further operable for: 

determining whether a personal identification number has 
been previously stored on the removable memory stor- 
age device; 

if the personal identification number has not been previ- 
ously stored on the removable memory storage device 
prompting the user to enter a personal identification 
number, storing the received personal identification 
number on the removable memory storage device; and 

if the personal identification number has been previously 
stored on the removable memory storage device, 
prompting the user to enter a personal identification 
number, comparing the stored personal identification 
number to the received personal identification number, 
and writing the test results, the diagnostic information, 
and the diagnostic results to the removable memory 
storage device only if the stored personal identification 
number corresponds to the received personal identifi- 
cation number. 

20. The health monitoring device of claim 19, wherein the 
test strip reader is operable for reading a second type of test 
strip carrying a second sample of biological fluid or tissue 
and obtaining health-related test results based on the second 
sample of biological tissue or fluid and calibration data 
specifi^c to the second type of test strip, further comprising: 

a second memory reading device functionally connected 
to the test strip reader and operable for reading cali- 
bration data from a second memory device correspond- 
ing to the second type of test strip. 

21. The health monitoring device of claim 20, wherein: 
the second biological fluid or tissue includes a droplet of 

human blood; and 
the test results include blood glucose levels. 
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